Malware Analysis Report

2025-08-05 16:50

Sample ID 240816-zesd4ayhnm
Target http://google.com
Tags
defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://google.com was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware trojan

Modifies Windows Defender Real-time Protection settings

Deletes shadow copies

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Drops startup file

Checks computer location settings

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

Enumerates physical storage devices

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Opens file in notepad (likely ransom note)

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 20:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 20:38

Reported

2024-08-16 20:45

Platform

win10v2004-20240802-en

Max time kernel

440s

Max time network

444s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://google.com

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe" C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe" C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoDev.png C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\ir.idl C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ppd.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\VBAJET32.DLL C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\catalog.json C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.DLL C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Restore-My-Files.txt C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\Restore-My-Files.txt C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File created C:\Program Files\dotnet\host\fxr\6.0.27\Restore-My-Files.txt C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\tzmappings C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGHELP.DLL C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\Restore-My-Files.txt C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.ELM C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\ECHO.INF C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\Restore-My-Files.txt C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133683143036102323" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command\ = "C:\\ProgramData\\jlh1olim.exe \"%l\" " C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Loki\ = "Loki" C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open\command C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4736 wrote to memory of 5064 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 5064 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 4416 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4736 wrote to memory of 1292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: [email protected]\r\nWrite this ID in the title of your message: 76A7FAED\r\nIn case of no answer in 24 hours write us to this e-mail: [email protected]" C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker" C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://google.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xdc,0xe0,0xd4,0xd8,0x104,0x7ffbf519cc40,0x7ffbf519cc4c,0x7ffbf519cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1852 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2396 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3020,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3064 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3052,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3024,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4476 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3316,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4764 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5052,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5036 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5032,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4944 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5044,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4640 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4400,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5156 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5368,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5320 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5620,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5556 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5048,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5140,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5824 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=928,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5360 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CMDWatcher_v0.4\" -spe -an -ai#7zMap10430:90:7zEvent16091

C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe

"C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5988,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6012 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5064,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5592 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5696,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5684 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3532,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5952 /prefetch:8

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\f39802b6817ffa5da5e9d779bb3711c5554f0373f0678bb309fcd009c0acd40d\" -spe -an -ai#7zMap27909:190:7zEvent5047

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5976,i,14683664092277800866,8372962531196856169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5936 /prefetch:8

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\" -spe -an -ai#7zMap30614:190:7zEvent3970

C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe

"C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\logs.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lxia11mm\lxia11mm.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD84.tmp" "c:\ProgramData\CSCD1BAFB453BD5467DB198782833FE1055.TMP"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\SysWOW64\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
FR 142.250.201.174:80 google.com tcp
FR 142.250.201.174:80 google.com tcp
FR 142.250.201.174:443 google.com tcp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 202.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
FR 172.217.20.202:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 202.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
FR 142.250.201.174:443 google.com udp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
FR 216.58.214.174:443 ogs.google.com tcp
FR 142.250.179.78:443 apis.google.com tcp
FR 172.217.20.202:443 ogads-pa.googleapis.com udp
FR 216.58.214.174:443 ogs.google.com tcp
FR 142.250.179.78:443 apis.google.com tcp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 78.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 ssl.gstatic.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
FR 172.217.18.206:443 encrypted-tbn0.gstatic.com tcp
FR 172.217.18.206:443 encrypted-tbn0.gstatic.com tcp
FR 172.217.18.206:443 encrypted-tbn0.gstatic.com tcp
FR 172.217.18.206:443 encrypted-tbn0.gstatic.com tcp
FR 172.217.18.206:443 encrypted-tbn0.gstatic.com tcp
FR 172.217.18.206:443 encrypted-tbn0.gstatic.com tcp
US 8.8.8.8:53 lh5.googleusercontent.com udp
FR 142.250.179.65:443 lh5.googleusercontent.com tcp
FR 142.250.179.65:443 lh5.googleusercontent.com tcp
FR 172.217.18.206:443 encrypted-tbn0.gstatic.com udp
US 8.8.8.8:53 206.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 65.179.250.142.in-addr.arpa udp
FR 142.250.179.65:443 lh5.googleusercontent.com udp
US 8.8.8.8:53 id.google.com udp
DE 142.251.209.131:443 id.google.com tcp
US 8.8.8.8:53 dns-tunnel-check.googlezip.net udp
US 8.8.8.8:53 tunnel.googlezip.net udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
US 8.8.8.8:53 131.209.251.142.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
FR 172.217.20.214:443 i.ytimg.com tcp
FR 172.217.20.214:443 i.ytimg.com tcp
FR 172.217.20.214:443 i.ytimg.com tcp
US 216.239.34.157:443 tunnel.googlezip.net tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 157.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 66.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 214.20.217.172.in-addr.arpa udp
FR 142.250.201.174:443 www.youtube.com tcp
FR 142.250.201.174:443 www.youtube.com udp
FR 172.217.20.214:443 i.ytimg.com tcp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 151.101.194.49:443 bazaar.abuse.ch tcp
US 151.101.194.49:443 bazaar.abuse.ch tcp
US 8.8.8.8:53 49.194.101.151.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 static.doubleclick.net udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
FR 216.58.213.66:443 googleads.g.doubleclick.net tcp
FR 142.250.74.230:443 static.doubleclick.net tcp
FR 142.250.178.138:443 jnn-pa.googleapis.com tcp
FR 216.58.213.66:443 googleads.g.doubleclick.net udp
FR 142.250.178.138:443 jnn-pa.googleapis.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 66.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 230.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 138.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 168.214.58.216.in-addr.arpa udp
FR 142.250.201.174:443 www.youtube.com tcp
FR 142.250.201.174:443 www.youtube.com tcp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.202:443 jnn-pa.googleapis.com tcp
FR 172.217.20.202:443 jnn-pa.googleapis.com tcp
FR 172.217.20.196:443 www.google.com udp
FR 172.217.20.202:443 jnn-pa.googleapis.com tcp
DE 142.251.209.131:443 id.google.com udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
US 216.239.34.157:443 tunnel.googlezip.net tcp
FR 172.217.20.214:443 i.ytimg.com udp
US 8.8.8.8:53 www.kahusecurity.com udp
US 75.119.204.85:443 www.kahusecurity.com tcp
US 8.8.8.8:53 85.204.119.75.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
FR 142.250.201.174:443 www.youtube.com udp
US 75.119.204.85:443 www.kahusecurity.com tcp
FR 216.58.215.35:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 beacons.gvt2.com udp
US 142.250.68.227:443 beacons.gvt2.com tcp
US 8.8.8.8:53 35.215.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.68.250.142.in-addr.arpa udp
US 142.250.68.227:443 beacons.gvt2.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
FR 216.58.215.35:443 beacons.gcp.gvt2.com udp
FR 216.58.215.35:443 beacons.gcp.gvt2.com tcp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.174:443 www.youtube.com udp
FR 216.58.215.35:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 bazaar.abuse.ch udp
FR 172.217.20.202:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
FR 216.58.213.66:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 beacons2.gvt2.com udp
FR 216.58.215.35:443 beacons.gcp.gvt2.com udp
FI 108.177.14.94:443 beacons2.gvt2.com tcp
FR 216.58.215.35:443 beacons.gcp.gvt2.com udp
FI 108.177.14.94:443 beacons2.gvt2.com udp
FR 216.58.215.35:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 94.14.177.108.in-addr.arpa udp
US 8.8.8.8:53 e2c43.gcp.gvt2.com udp
NL 35.214.142.18:443 e2c43.gcp.gvt2.com tcp
US 8.8.8.8:53 18.142.214.35.in-addr.arpa udp
US 142.250.68.227:443 beacons.gvt2.com tcp
FR 172.217.20.196:443 www.google.com udp
FR 172.217.18.206:443 encrypted-tbn0.gstatic.com udp
FR 142.250.179.65:443 lh5.googleusercontent.com udp
FR 142.250.201.174:443 www.youtube.com udp
US 8.8.8.8:53 google.com udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
US 216.239.34.157:443 tunnel.googlezip.net tcp
US 216.239.34.157:443 tunnel.googlezip.net tcp
FR 142.250.201.174:443 google.com udp
US 8.8.8.8:53 bazaar.abuse.ch udp
FR 172.217.20.202:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 clients2.google.com udp
US 142.250.68.227:443 beacons.gvt2.com udp
FR 142.250.178.142:443 clients2.google.com tcp
US 8.8.8.8:53 142.178.250.142.in-addr.arpa udp
FR 216.58.215.35:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 beacons3.gvt2.com udp
FR 172.217.20.195:443 beacons3.gvt2.com tcp
FR 172.217.20.195:443 beacons3.gvt2.com udp
FR 216.58.215.35:443 beacons.gcp.gvt2.com udp
FR 216.58.215.35:443 beacons.gcp.gvt2.com udp
FR 216.58.215.35:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 195.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 bazaar.abuse.ch udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.43:139 tcp
N/A 10.127.0.44:139 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.37:139 tcp
N/A 10.127.0.39:139 tcp
N/A 10.127.0.38:139 tcp
N/A 10.127.0.45:139 tcp
N/A 10.127.0.2:139 tcp
N/A 10.127.0.40:139 tcp
N/A 10.127.0.46:139 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.48:139 tcp
N/A 10.127.0.41:139 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.49:139 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.50:139 tcp
N/A 10.127.0.52:139 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.53:139 tcp
N/A 10.127.0.55:139 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.54:139 tcp
N/A 10.127.0.56:139 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.57:139 tcp
N/A 10.127.0.59:139 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.64:139 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.61:139 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.62:139 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.63:139 tcp
N/A 10.127.0.69:139 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.66:139 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.65:139 tcp
N/A 10.127.0.72:139 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.77:139 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.87:139 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.89:139 tcp
N/A 10.127.0.93:139 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.94:139 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.95:139 tcp
N/A 10.127.0.92:139 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.97:139 tcp
N/A 10.127.0.100:139 tcp
N/A 10.127.0.101:139 tcp
N/A 10.127.0.106:139 tcp
N/A 10.127.0.78:139 tcp
N/A 10.127.0.107:139 tcp
N/A 10.127.0.82:139 tcp
N/A 10.127.0.134:139 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.79:139 tcp
N/A 10.127.0.83:139 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.236:139 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.47:139 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.76:139 tcp
N/A 10.127.0.75:139 tcp
N/A 10.127.0.74:139 tcp
N/A 10.127.0.73:139 tcp
N/A 10.127.0.70:139 tcp
N/A 10.127.0.71:139 tcp
N/A 10.127.0.67:139 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.68:139 tcp
N/A 10.127.0.60:139 tcp
N/A 10.127.0.58:139 tcp
N/A 10.127.0.51:139 tcp
N/A 10.127.0.42:139 tcp
N/A 10.127.0.151:139 tcp
N/A 10.127.0.149:139 tcp
N/A 10.127.0.155:139 tcp
N/A 10.127.0.142:139 tcp
N/A 10.127.0.150:139 tcp
N/A 10.127.0.136:139 tcp
N/A 10.127.0.135:139 tcp
N/A 10.127.0.137:139 tcp
N/A 10.127.0.84:139 tcp
N/A 10.127.0.81:139 tcp
N/A 10.127.0.80:139 tcp
N/A 10.127.0.131:139 tcp
N/A 10.127.0.108:139 tcp
N/A 10.127.0.122:139 tcp
N/A 10.127.0.124:139 tcp
N/A 10.127.0.119:139 tcp
N/A 10.127.0.120:139 tcp
N/A 10.127.0.114:139 tcp
N/A 10.127.0.113:139 tcp
N/A 10.127.0.111:139 tcp
N/A 10.127.0.110:139 tcp
N/A 10.127.0.112:139 tcp
N/A 10.127.0.109:139 tcp
N/A 10.127.0.157:139 tcp
N/A 10.127.0.105:139 tcp
N/A 10.127.0.104:139 tcp
N/A 10.127.0.103:139 tcp
N/A 10.127.0.99:139 tcp
N/A 10.127.0.102:139 tcp
N/A 10.127.0.174:139 tcp
N/A 10.127.0.96:139 tcp
N/A 10.127.0.98:139 tcp
N/A 10.127.0.91:139 tcp
N/A 10.127.0.90:139 tcp
N/A 10.127.0.88:139 tcp
N/A 10.127.0.86:139 tcp
N/A 10.127.0.85:139 tcp
N/A 10.127.0.166:139 tcp
N/A 10.127.0.165:139 tcp
N/A 10.127.0.161:139 tcp
N/A 10.127.0.172:139 tcp
N/A 10.127.0.168:139 tcp
N/A 10.127.0.171:139 tcp
N/A 10.127.0.173:139 tcp
N/A 10.127.0.164:139 tcp
N/A 10.127.0.159:139 tcp
N/A 10.127.0.163:139 tcp
N/A 10.127.0.116:139 tcp
N/A 10.127.0.115:139 tcp
N/A 10.127.0.162:139 tcp
N/A 10.127.0.118:139 tcp
N/A 10.127.0.121:139 tcp
N/A 10.127.0.123:139 tcp
N/A 10.127.0.125:139 tcp
N/A 10.127.0.160:139 tcp
N/A 10.127.0.117:139 tcp
N/A 10.127.0.127:139 tcp
N/A 10.127.0.128:139 tcp
N/A 10.127.0.126:139 tcp
N/A 10.127.0.129:139 tcp
N/A 10.127.0.130:139 tcp
N/A 10.127.0.133:139 tcp
N/A 10.127.0.138:139 tcp
N/A 10.127.0.139:139 tcp
N/A 10.127.0.141:139 tcp
N/A 10.127.0.140:139 tcp
N/A 10.127.0.144:139 tcp
N/A 10.127.0.143:139 tcp
N/A 10.127.0.145:139 tcp
N/A 10.127.0.146:139 tcp
N/A 10.127.0.147:139 tcp
N/A 10.127.0.153:139 tcp
N/A 10.127.0.156:139 tcp
N/A 10.127.0.154:139 tcp
N/A 10.127.0.148:139 tcp
N/A 10.127.0.152:139 tcp
N/A 10.127.0.167:139 tcp
N/A 10.127.0.169:139 tcp
N/A 10.127.0.176:139 tcp
N/A 10.127.0.132:139 tcp
N/A 10.127.0.170:139 tcp
N/A 10.127.0.175:139 tcp
N/A 10.127.0.177:139 tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
FR 216.58.215.35:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 9.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 10.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 8.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 29.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 20.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 44.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 25.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 33.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 18.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 43.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 11.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 6.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 12.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 14.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 37.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 5.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 38.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 39.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 2.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 46.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 40.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 48.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 41.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 4.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 45.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 49.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 55.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 54.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 50.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 57.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 52.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 61.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 53.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 69.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 56.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 65.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 59.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 22.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 64.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 31.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 62.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 63.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 89.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 66.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 94.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 72.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 92.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 77.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 15.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 97.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 16.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 101.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 106.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 78.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 17.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 82.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 24.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 27.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 28.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 32.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 34.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 87.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 93.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 95.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 100.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 134.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 83.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 107.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 79.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 236.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 3.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 7.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 36.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 35.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 76.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 75.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 73.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 67.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 70.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 19.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 74.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 60.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 58.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 47.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 42.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 21.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 51.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 71.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 151.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 68.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 155.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 81.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 142.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 119.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 136.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 112.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 137.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 131.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 108.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 124.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 114.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 111.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 149.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 150.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 135.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 80.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 109.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 113.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 103.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 88.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 86.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 166.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 161.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 104.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 99.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 90.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 85.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 165.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 173.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 84.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 122.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 120.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 110.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 157.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 174.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 102.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 91.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 98.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 105.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 96.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 172.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 168.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 171.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 164.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 118.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 163.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 123.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 115.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 127.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 160.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 126.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 159.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 130.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 116.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 162.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 loki-locker.one udp
US 107.178.223.183:80 loki-locker.one tcp
US 8.8.8.8:53 125.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 128.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 121.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 117.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 138.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 133.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 141.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 139.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 144.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 140.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 146.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 147.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 143.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 154.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 145.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 148.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 153.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 152.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 156.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 167.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 176.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 170.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 175.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 169.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 132.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 177.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 107.178.223.183:80 loki-locker.one tcp

Files

\??\pipe\crashpad_4736_HHSHBLXQCKCJAOYA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

MD5 3e552d017d45f8fd93b94cfc86f842f2
SHA1 dbeebe83854328e2575ff67259e3fb6704b17a47
SHA256 27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6
SHA512 e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 955999334cc3f7a62c4fa89e386f5d0e
SHA1 a0752fb0aa00891658c4d644f5773321f1fe8db6
SHA256 0d8bdd71590ce101fc312b8d837ee4252acc9d7e60a5f9849dde0f2ab05f9686
SHA512 a5eeeb3c259e10d80280f7dfe75f21d1dc67f67a82466a69bf0d5e08accd1225b9871497d4cf760b0c208955f0f82341bc1e6a72a73d0f91995f080c2578cb66

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a5130d0b7c8f550ad1a55e6341cb6945
SHA1 419462bbc4b96d757c1aa046fcf1553cbf25a217
SHA256 5a9798952072f48500059521486f5b54598a9aba70219de94bf8c910a93baefc
SHA512 bbafd10fcf7f4251290cc21a90866b70df366fbfbb5d42b274361dea45bff5659eede77df144fd9db678c34e67655849714b00ad6dc7b3b9d393c57f94e46325

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2a9f91ba08273da40fb5ba7ab80bb3f5
SHA1 6d2a601eee9bf4bd48fd376a2b0e516da03d38c7
SHA256 0f150c54c436827918f62d32843a19c7db18b1415e23c7f037b8bf17990043ef
SHA512 104003c606252d059f6f54f189a887d1a7f1278a520f236fbd4f0b7c63c326d10ff0747e4004759ccb5356d624511ddedc25b3f7a96722721cec1a657ca62fec

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f53fc10df1813f96d6c51039866f02f9
SHA1 b669f340d69c7afd27e994f256beb358f9f64440
SHA256 5aac4a3236736cc7b923d3cdccf4533a9cc025a3a23e18cb0ca22612f8d9e916
SHA512 ba96dfb7f80b46167599f6cc1d5dd952d0a5701fde083513ffe9de34ac8e3ac559463a8327192dceaa7e595184b18a11ecbe2167a6137d52a106c91c01ab91a4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a3096c158b445138da4800c672ce3b99
SHA1 e12d249324d1ebf610a91cc935082fce3afc4bcf
SHA256 4f0fe0d23cbe440a4f9a728700b026d149690db7e5fa632c6a586f10ff71a69a
SHA512 e2c6a1ddaf0aaf0e726e82b9c8d905169b2db4450ff682b2511dc90bb1e2deb0c26409d0e28f437e1c8dbdc138c205fde0d1d4ffa7218387a28a3c3631edeae8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9213af3908fc6091b75a04b2a1bb5562
SHA1 503bd312b51e1afa86038aa71d4141d2c1aec1a7
SHA256 1214faff46e4c0b965ff9a6866601d6e61b5de51f7ee0ba1721f7dffa7cf436a
SHA512 cc86dbdd38735a8fa84e862f4ff62bfe4b2a7af22545e1de43af7cca424c71a43cf8fe14a9411ac07c5e52a0cada6329c5b4dbb71d527018ab93a44a9e4a4785

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f8dd6f75bb3ad86698db90dd3340b3fc
SHA1 15f540be5d5cd0e0336874f70488018276eca652
SHA256 3e7a0607780bc7c408c9c45c5c93b385c16328b89c20e1fac13c71a42d57b5a9
SHA512 6759458a554dc5d3c55e21393e3de3aa7b75e822b5cceb4713334dbdbbb0f9e584b416b7d0b342f31b5fe439acb99b8fc291e0b728d9a954e8d8ba02be38d55f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

MD5 a7a2f6dbe4e14a9267f786d0d5e06097
SHA1 5513aebb0bda58551acacbfc338d903316851a7b
SHA256 dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc
SHA512 aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe585a60.TMP

MD5 dd2d086d4d78d6f7bcd31701baf73ed1
SHA1 ab18a4f8ade8a848c5efe4666751fa63de7fc842
SHA256 f10329f65d26ef2d3ce62a698e0db413b4a697746bbcb22123b380ac3fda3837
SHA512 ab6c8245e7c6f5325285bb83792e21f64e300dacf8e40f9db38bfc7bfad543ed320a0b02da5ad49fb7e27a9f006c06c8ebff33a8f5c4e4947b823f673cf4a120

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 2fd4ca31d19f6c9fc1fdbfe95677f288
SHA1 2c9dabcd04c340ba97263b99a8e42b14e8e8d266
SHA256 38a5c978b4f374c30275e667bb8d81f9c75beaa5508a6dd47aa5c2253bc90071
SHA512 152c017b53f1221bfd7dc9c227b4b74851247d416775eb6d6fdedb6acd09a16f94d0bdeb6e1f7a5f47acf6b97f4bc805d19dd1e201b8c09718de9a6929d8f3aa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

MD5 c594a826934b9505d591d0f7a7df80b7
SHA1 c04b8637e686f71f3fc46a29a86346ba9b04ae18
SHA256 e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610
SHA512 04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt.tmp

MD5 b524dcb46e8f00e7308693831c1e3964
SHA1 bb7c13ceda2bc6ef82d3e17415486c306ed839bc
SHA256 b6db13e276c86806c4b316f0789baabc5e4d594014cdcd4a696c35688bb49687
SHA512 f9bb235104cbaf076c63c65efc44f50d68b74ecb20b1b40b35a66dd5ab4e6709637ad63893d0a873fea36a6927656f3c391427458606a58728edfa5892a00962

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 eb3734b4ae61adb42765109442cca132
SHA1 51ee9665ad69ea40ceee2935efb339f53e7f5544
SHA256 e6076682a76dd03c667c1ad310e9e9688fc567afc882dec80e37b331a67088eb
SHA512 c6c1739f2c5de1caf452febecccede91a0910a52f9c76a6854134f0450f030df231f4a39548007dc8416044884df6368236b6354beb92dd006cdb5741126463f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c8f6f4aecac3f5516f21aec2769478c0
SHA1 8f4de3c51b430270b9f3fe577b4049cb64e1dcdf
SHA256 adb0f190da76587f561fd225b1302ae8a0764931f28eb4073ac1803b24a7ea0e
SHA512 3e3b0da5dd515cd163ed6a9274e1e7507a0f5ff51b81dbe2974ee76b6150a660fbd30b827953584d3e2875672f4985718cd1e590eac3f4ce1f2e73861b965df5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ed92b40efe68e534922d646842f7dfa7
SHA1 e6080414062b6c0aba2da1c1b756caa05a3f0e5e
SHA256 c8a2b7c56edbde754b4aa269d61bf8e344bfc0b453f9f870b8d7c6ace04fe850
SHA512 77e3d8459edb80e8df4f866cdee6b97cc5f347b4fb9514568fa416194478d1a7077acedf4352755b9d8225833bb1b8b248b156e393f6c2337751cb08ad6a7fb5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 fd03b6c84f5e6c23ca69b1f27ec848f1
SHA1 b8e17c871eeda7aecc8454053dd323f222033c8e
SHA256 122cf5af1d40f7555e8a089972357044af39dc731f4eb8fd66b6ac20cb0c9fb0
SHA512 94050a1278b87ba9e54ec840c42c5cdca32823ca2b0cb76ebdcdf3ed2d8db172ed8f695ee2b56deb025bf284d1db98669699e00e761b3e6d5c3d397f3d6076d9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 28ef60053d8dc227afedc8cf126cac4e
SHA1 444b286c1be4929e8943123e3b9d7c885e72deb0
SHA256 fdd510bcf8912957a3d9e8ad300c5ce420e23b0e313a9a8ca9dd38cc6686dcfe
SHA512 484edc87c56fa0133a502c46b86f106b4a7dee2e79c744aff9c63f4d705608e6f5495b66ce81238a55ad480b4dccdde453af5e46334dcc15021ef3d32f4b1ea8

C:\Users\Admin\Downloads\CMDWatcher_v0.4.7z.crdownload

MD5 477266ec255352f3e1d183a628e48073
SHA1 902219e1756d3c7514d4e115c383658b716dd2b5
SHA256 df9da98c0e3e6ab223c4bc27290a51dba5628bf9468f4ea0bdd2cdaba673e9e1
SHA512 96216f54a2052e94f321bafba0bb62ed161fcc046eccf4e1005144a75e57f01db1cf3b7edeaf0a64e1b05aa1555f6bb27df32434f851e81a20bd06cf3fcac717

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ac508c37f49d19fff9f9e8f0adc316da
SHA1 1410492e8e73f5c178953920b539bdc7d5de7da2
SHA256 7ff7d491551725c16cc7f37386ae26dc3539e9ed1b541bc02e29250d7dede7ad
SHA512 2b12ad96f5019bf7a65aba5d073a0bee40a283fb7cdec961a9815f36a8ba11a7db90afcfab325be0238a4eef9d4a405e6d15d07247e4961d562812727c7a1b86

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 de66d8324fde3a1bafa95e158b460fce
SHA1 614c1d51b99a5bd373bd4d232c4d8fbf6048c719
SHA256 8bcc6277145255222844d4c5a10674f35a74fa02c3fda65c82cf205c1919a04f
SHA512 3f3379fd8f02dff01197c379ab7e138813aff3470cc31351b0eed5ab9cf367843f2ab199d80f563824e9f4a91f039e7c2508999c5b88c4510fcae2d184d782d2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c905195dc8388ab91e98bfb775fe0481
SHA1 05d3de37437cf65d81d5f0bf6761d3bd39d839f9
SHA256 40c57566618577ca75ee42d07d12b361a7f0e01dc9381b336ba85c1df9f0a711
SHA512 0ee697eaebf30d3f14a1f52f717bc661e5275dc3323240057352fb8be836fa45a8012b669e55acf3c24a28ea09a27f7ad2c1262ec4f9e469aee5386fd5f91aec

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9e8ee2117d43f7d16bac831437911626
SHA1 aeeedb9f35e012acb95aa47eb1388c450d77acfd
SHA256 cb391cf8254077aaffbafd0466f4b096270d5b95f32fbf88d7a304e19e91a34d
SHA512 2639903e652884cf6269393adcca0e6d541c8233b5875eda419b0c2c56b0e3dd2ac940712694019c8f5ec4570f8b6a8c7e9f586708a2e096b0afc54a6682641b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c63a8b81400e7000992a87039f86d62f
SHA1 5807666e5cee5229076653a1542e47dc1f979c8d
SHA256 ddfcf31c34e53e586b0c6a0e94fe66d70ab1fbe195eeeb256dcfe38650522b9e
SHA512 58224ddd46596106267b9bc6be76e95ccdf34cd256ce50014e61a60f59b3a465f3af830a69d17808e15d914f1b17fb72594cc6d6d4532b0ff34ac5953d1e35b7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 498be0e543cb5ffc7cc742ece95a7932
SHA1 14df86a550f63f55b5e3a76ffbe562417e7be069
SHA256 487444a035db7171c4adba97b840dafa12da523418d236f67899efb0475c4d23
SHA512 3b1e7a8f229be2e2f6133c48ba29b0b3b78742f2d6a7ba2a1db000ab5579a14a55d73f4106b3c30abcc213717027debd7ce4a7275a6989b8facf0437e2d0f1b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 21e21ea47adaf6067a098034d4f673b7
SHA1 72f669cd0437bc0e4a4d517018d3b1e4b7caa4d3
SHA256 795c71b8f1ac29c8b831652b7ee1571756b5b4058d2f310e32cfe68906a40790
SHA512 f99446a8f9a30c406f49c4ea4ffd5dcf60fc45c8b53ed9abd09022c7a2f0c5d6866fefb9b6df63ec53a7f8fd07e52a1c384041e92d3bfad146d5c7a083e5ac1b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bd62aa99e2a44fa65d1378a66cb22800
SHA1 a1611b23253a17f29be766a958047733470eca85
SHA256 4b423023cfa3f673dff2177231a9c8d400fdf0bc03d605941ac01c3b008bfde2
SHA512 aa8a280235fb5ce56b4b2a3c299a8f5da493dde97f8b2956412e982070a05691040cde56f6c17a508571fe278b55e64fc829f724e2ec7480182ef73664da8f24

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

MD5 3b5537dce96f57098998e410b0202920
SHA1 7732b57e4e3bbc122d63f67078efa7cf5f975448
SHA256 a1c54426705d6cef00e0ae98f5ad1615735a31a4e200c3a5835b44266a4a3f88
SHA512 c038c334db3a467a710c624704eb5884fd40314cd57bd2fd154806a59c0be954c414727628d50e41cdfd86f5334ceefcf1363d641b2681c1137651cbbb4fd55d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 d974e3f840bb9a54b23774658106e976
SHA1 2d6f825e4b0b1ab331fbbd9c84c688135d8f0411
SHA256 578a6a1a00288047543694502301b35d7bc1a0deda9ed5d8bed2cf09ead02945
SHA512 aa7414060d2b78b95e01e85e81693084643324f79cd9799dfb431442c72467e27daeb92ca37307aeb76fd95d9918df3a46250496afd2363b37cdd1013e522f34

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f759481ee9e940cf8a86d82f3ac289e5
SHA1 b0e48eb7f7586015c145340d6283a7582ea7a417
SHA256 ec5c681cde0bafd84eb035104b83c6f36174d0501dad8925b4b0e9841d4cbe08
SHA512 3e63a5f3a9608370fa72753723c9b6e8840361901f75625d650241f538ad38f08659f9df71d2ddaaa13995da96c686c57630a26a54e981e0b3a00cefd6444260

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

MD5 36bfd23efe0fbf170c8395890efd9e17
SHA1 1827a887284d7b03702154bce0bee282c88e07fb
SHA256 241675655f6c39747d3fa2d3fbf490fb17620b0042573c1c85f576cf74d754a7
SHA512 eddf3d37d47a82ba43493a464955763a08b49d2c219f3b807c102ebb5088a6a5fe00765869c7959ad3a55003d97faa34d34bbbbcc17ed80eadbe64561e7ec894

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c2960afa56f40ddc190a715c43549730
SHA1 7a61ef466139fe74c273472c8af42e886a4313b5
SHA256 e58b03ce1c6ed1a4ce81ed30f37c7e67d7bb2ee3a09db442362e1f9ab67cb282
SHA512 e8349f7296d624f4a061226649956e760e2de1439d8fe6c82a22874a7f8af7d8e72359c77a9715e0844c37b5ae37f0b548bc6524c3de6a9f41c3f8c26560d27f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 09487f5fd613e483a7824a63c88f8bd6
SHA1 e8a37b2cd326114a27ecca58e58ef38d53e6f666
SHA256 34a3b8133472cdab54411c20f0b8e6c0875a83cfeb9049ef8ceda8ebbee29ce6
SHA512 c69cca696e731158a4fbe284679b1a465e77ecc2bc7a4390bfe8708e89b42d3f00ffdf5ba79aab7df08cac7a430dd8eab7d4f0d871ed66833b92aff8c6042bcf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fb58a2fa6c64e08aef9eda54323ec168
SHA1 bbd39a659d4ce2e1312de705151502e00d41edd4
SHA256 9963eebed55050fa10bbe0872d38617962041e6ca3b91047319fe83c6b0f9f5b
SHA512 9f56a8c67a1394ae9bdde533145167f08feabc9a13181179526e16e2d31c1705408affe61715a0688dd4e2c358bf37d2f4b9ff1261871f8f195ca2470b57817a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6cac8bb4a941a06a105c4a48a70e5a37
SHA1 5ada9e8076b7944c15044833babe0b75914b5848
SHA256 bb0490054b7a4a1175e5aa214ad7e65419f20ff5227b13cd82a288772f3a3805
SHA512 8f1978c021cdab3ebdb7aa10e41e04d646866a8359cc7ec40d687c9ee7073de70282392ffe2092d6f7153a8899e96819f321f89abce64aac49e5288d44c822c1

C:\Users\Admin\Downloads\CMDWatcher_v0.4\CMDWatcher64.exe

MD5 482abbf2fd84a712f565d48e286e034a
SHA1 7b33ec969cc501e1da26ade98309a544240636f2
SHA256 babbaa201e5e1bc3c68661e1c9f9a41430044446c127fb544b7294dab84ce6b7
SHA512 c06e49e0bdd91bff59a038bf466598717f7c7be49b06765a90642e0cce7d424a843939ea21035c53dd15a1a0e33f4e6ee4518f9a563fc0aec75d72cae1426431

memory/2748-681-0x0000000000E00000-0x0000000001CFA000-memory.dmp

memory/2748-683-0x0000000000E00000-0x0000000001CFA000-memory.dmp

memory/2748-682-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\B3ECAF7EF28870C436FCEB7E36B7B685\64\proccmdline64.dll

MD5 c591cb11e592d31487c528671d52cc3f
SHA1 10c424983eb5ef39621574ef9c049a50e9141006
SHA256 393b930e2968cd8f1f8cf7fc33645b9f6be24aa6f24d33bf962304b0448b3def
SHA512 a58655975d682c3ee8137f798afebe37bfad62d18d95b8a72fed3f72e31c0024f833bbcbf68e8baba84a59efe1ec91d3ffd36c0e31783662d71f4041bacc3497

memory/2748-690-0x000000001EAB0000-0x000000001EF7E000-memory.dmp

memory/2748-691-0x000000001F020000-0x000000001F0BC000-memory.dmp

memory/2748-692-0x0000000003940000-0x0000000003948000-memory.dmp

memory/2748-693-0x0000000005080000-0x0000000005096000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 f8d2234912169f223b981c534b3d7f23
SHA1 3b8a12f418bcfdd944121c6fae1df91f9d301a1d
SHA256 c20d499acd86cdfdbbc858ffe70c00816ecc3f895dbc8fe9543d0bfeacaa6775
SHA512 18fcf04c829647fee7b625b97b420aed54147661f6e23416592910c1c7274e2863a554b4074c150c65d7eddf9ce40d00ee0208e1fd869cfdf8c018a95e87051e

memory/2748-718-0x0000000000E00000-0x0000000001CFA000-memory.dmp

memory/2748-719-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ff10ff2b768af388273ffeeb2c351479
SHA1 be3ce7abd4f2c9fe5fae247a8299394e55a9b5c3
SHA256 e24b2e738ab1647cd55840bbbe322f52513022704c6e1e003f9560cd9aa72833
SHA512 4efe572d2f69ab1e9e495e2e745829023801900800df46c66096396b0cbeffa0bf89b69f5819d6c2c9f1e53368ad716a0ba081a0c1917ffa2d885e1d89338881

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 9421bf0737e2a53c78bd5d6b073c35bc
SHA1 ca7139d4600a8d14caad72c280eda9d96304f2f4
SHA256 afe47fd8d5b778f2ab45641703a4df28780e5123553b6b47ebe4c6b4ca902316
SHA512 ee82850cfb6bf3e2d283ec0a5673a566494ae158327e41878889114fb834e3f0fdf9d957e0af80f4fda2fe4d5abd64d83b7c26920e9b3847e56589fd1511ab31

memory/2748-740-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

MD5 93acd9abaff0faa9bcbcd13166fe2ba1
SHA1 f15757fe2754f5183690d58607606e570f882260
SHA256 ea9e607e30fe355ed24d323a08cfad4edc3ce33fe02a214b86fc515c7a9f2ed8
SHA512 6cef03bfb49f7936111060c7b82f08f97f12f93cf099fe9c424572259dcfe5ee915c6fb99382a262457950fa0604f85ee8d29bebb4d46cdd23c8241ababaa832

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

MD5 6150f70346bed6a8dfe07416a9f184fc
SHA1 ba1c0f9981f6aa8587845a385b01261f07bba37d
SHA256 c952c3da7d9cf52d287e91be8c2b6593fed5efe093df536d15274c7c9c499242
SHA512 0335726493b39b2e3ba5001c512205eaca85d853deadb31c7d1224816d07cb95a9b744f74c1905f71fcc76792a22039d336c1898f3e3e53c88d838b2d1787f5d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 6538a735bfb44de170220084c8223b9d
SHA1 5175cffc5c2a6c2aadc2a58cb58d45764ab8dd90
SHA256 e83b08077c907d4b063d5a8074831e07125da560196ef56b2440525c93a7c999
SHA512 1f6d22340d9d8ed413cf44aa85aa302ff97b6205f966a7e5f58de3b0e7466224ffb5f1b41cef82993830728d9296edce2ca5d149e43ffefcfea987c79f154595

memory/2748-810-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1ef0c9286ad7e83ac6c54bce018158d6
SHA1 c03310e6f9532bd170b0af2142e887d622e6dc5f
SHA256 1142c3225572050bb3fe84b06083b58bf873a99b493c136814678d676dfcc125
SHA512 7451374fcb33d7f370791398683e64e1cebea9ade20d8ffb2654f8b619479d00c9fe5b3fc089c5d3876c97aafd5137ee0bfb0bff83b64f5f22da81f9dce853e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 d2c0a5075a89c6724a9f0b020f8dabfd
SHA1 0d6827e28c19336c4145a08cbd7649de74208a29
SHA256 254564214d42914165658b17551f753775c9f5f3b90bf77c47ec9636d759f791
SHA512 8f3516ab3ae217da834a6e6087abcee737d057805962e03944157528a0563d688a9720c5e45234303790f9a52c1384ba8436b7a688648adb809440e2319cba0f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\41a4ebffd069515d_0

MD5 52200960dc4ad6026060ce41c0c410eb
SHA1 209724f89a4c8704548dd9c1c027c0009b33f908
SHA256 263ed8338fcf297104863b3014deec9630d2fb2cefa17ae0b6cb8fe41ac9acef
SHA512 c40d0af143e4a09a151952707ff6fef7cc30945548b399d7c0f0c8672b6da3d4f2be2fd3bc4ebd614d158174da53778930aae86c85009d7f0c1540e3cfb0ec80

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\b24f867f2d8d5fde_0

MD5 b6722549dc75bfd902d80da76942960b
SHA1 8c7ecf0ae8093336a0cc040565d9a799ae5b764c
SHA256 2bb4d4e30066b18f9962b3bcf4b3a6fc0c3cd12f9a2ac3f072935f027b4004ac
SHA512 e54fd01851c816697bf3c4bd32646c49cba8bbc68323b1393265069db32a5228c2a89eabcd5b70685ac33f260958103943ed1cff2e23c7659f1b245ae67a3107

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

MD5 888c5fa4504182a0224b264a1fda0e73
SHA1 65f058a7dead59a8063362241865526eb0148f16
SHA256 7d757e510b1f0c4d44fd98cc0121da8ca4f44793f8583debdef300fb1dbd3715
SHA512 1c165b9cf4687ff94a73f53624f00da24c5452a32c72f8f75257a7501bd450bff1becdc959c9c7536059e93eb87f2c022e313f145a41175e0b8663274ae6cc36

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

MD5 b15db15f746f29ffa02638cb455b8ec0
SHA1 75a88815c47a249eadb5f0edc1675957f860cca7
SHA256 7f4d3fd0a705dbf8403298aad91d5de6972e6b5d536068eba8b24954a5a0a8c7
SHA512 84e621ac534c416cf13880059d76ce842fa74bb433a274aa5d106adbda20354fa5ed751ed1d13d0c393d54ceb37fe8dbd2f653e4cb791e9f9d3d2a50a250b05f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

MD5 7e927e134bd5c6dfbcdc6234dd59aeaf
SHA1 aa7ae154c9d7b39b723a2df369988f9836d7f9a6
SHA256 908cf2181b99a1026b003e76f03e5ccf0ee87c6ad70c8af282a4283644fba0d3
SHA512 870bcbd9f266f9991a3ac8ef8bea04b3e73c706671826fa7601b87ccd432eedd470d68eeb1ac02a743cc2b72d33bf91d4098885438fa3e1dd64ca0627b85a12d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

MD5 36a10589b13ff0f7dd7646563eab3056
SHA1 72a1512aa5613415c5dc899dc55635fab0e58c1c
SHA256 e51527d3243af5c0673b263160c0b7cda5e16f40cdd111eb2765e8675d3cd01a
SHA512 11202fc69c54eb785d2dee804c4055a3c222f598fc3a82af6ac71d358e47482883c3713a25ac96c626affba9cc24883827f738f8f34c2d56baf70f0d512a87da

memory/2748-883-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a4f51bce4dd1dae80b68c0c49d402a44
SHA1 defeaf9f16774e4a6f29c91c9f96b61e83f677ae
SHA256 22dfd10691a4326a80a28ed44f8b0431dd5fa5feed2844bd2eceb63a90526415
SHA512 2713f1cc5f9434136b8084037e8c034579e28550b5b33953b1967b3fa54a9c64523fd8655a5c341a8fe66915be0cd0d27233cca89c6689baf39d60051707301e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c1ff22d898c94dd3136eba97101d15d9
SHA1 5f35528012a48f3f6d9e6aafc4b34b2ca14d8e19
SHA256 933c2df954219c6a39d1078b26fe755d3300536cdd82a82c5662ed780472b3f0
SHA512 b29e4e0958355787af9e335858e4c7b92f52da5e182cdaa0be209850d8dd7ca17162f4d350238a254bc1f0f6d54faec8d72edf20330fc04c15f2c4f356af5f2c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 13e151310c855d0c9dbc90ba0f03ae46
SHA1 4452f1c0a864995e79064ee786f5c5e84d5cfcc5
SHA256 706134311f1a108ae5a79d9f96859d259b053e7e0bb6014291365813a66fa445
SHA512 4d0b3885fb81f5415b6298568d8470c48d1a6d6c18eab15408a705acc68e0d37c69abbfe7c0d93239cba7898b5518866d16e3cdfb2ce6d83521ca70561a84c45

memory/2748-915-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e31f73b942c7643003a480740b6eac82
SHA1 fef5ae68db14ad4c593241022cd635cc6501b204
SHA256 281ef7a4aa1dbed641b5b3ce7a7b3f57bdfa4aed834ae7a8e78c8cb223512356
SHA512 1a82dc593aae8e91b380cfce772b113148c392955a4d08da19f864e215e873dd3be8483f1f3d77b56ac78cfa36dfbd76a97bd89b1140fc9069d9db0a1d198ab6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 9bdd875bd0efaac707f1a7f57bd6948d
SHA1 c9615e01260bcbfd08cf8b1e406c0d1d6e573b93
SHA256 0f4caba53d504c2548e76489ce0fc01507cf3e0f39c5bc33bb216680e7e3bf19
SHA512 64cba8dbd1d0c784988f90cbea474209d177df29a065c6f4441670617c5bdefa96cfba769c4f27134d2468a442176738264bc6dbd2db9fcc5a62b994c2e72a1d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2d177b37f638d03e8622ae479b792d70
SHA1 94e390ddabe233579a7258dd371eb697a4769d44
SHA256 e88a1bdeefc303b4b05278ddc5dfc1f71b2fe6859e131841f5e73783c83dac7a
SHA512 0b41fd27409f8fad81e85686f328371c522d1342db00503134a45a0c32b1aed8bd05b754f0d4d319d5409defd3c94bff1a47c78e4b882d9b79a95d34ab5e6a8d

C:\Users\Admin\Downloads\f39802b6817ffa5da5e9d779bb3711c5554f0373f0678bb309fcd009c0acd40d.zip

MD5 7a44a5536b2fb6ff769e4c8b5dce50f0
SHA1 433a4ae015a10c4ef60fae8090896dc289b9e411
SHA256 cfd4d49d3b5db7b5e635d5c5586f0e08828d5f85d5fd6d5a7f3feaece79b234c
SHA512 fbd8bc3d8721b729eeee0c90401c10fe46a3dfddd7cf655955c856d1500af1dbd63598ede82f97583f2c0b5e87067fe72973dd4505b892c2e8066854ce4c6818

memory/2748-947-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 a1d864aed4cf7eb56d45165de2e2785f
SHA1 cebb9e216c4dad39ff2b326eb210c22d947caf08
SHA256 7f7d5308183d53581f9dcb707bff678d1ee3c269f6723abf5ea7824ddd43ae99
SHA512 56a16934aa25c1f90aa906c7e7f1493e7edf5a023ca369fc67344f46b3cb454c3ca9cfb93a345d7eb001711c0f5c24ff5151e6f701e4b0fb97e45ba15d5a7b01

memory/2748-959-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4309714250a29b4920572405c98bba32
SHA1 ac26dd46d1f1c840446625bf3eede82a0974cf20
SHA256 cc0fa1f643a53aba09324901c60f59622b52fe30591b19e06b3f002d92cf0a4a
SHA512 0b7453ce8766ae9d73e3bf5b24522af0b5455681ac508f8de3610de16527cae1b7803641c725565722bca353187bd873fa09be9105accd288ff4dc566de180e5

memory/2748-971-0x0000000000E00000-0x0000000001CFA000-memory.dmp

memory/2748-973-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9228264cfe78b83616a0dca64d96353f
SHA1 2d52560c7e4c1dfc250f04247218c69bead48e7c
SHA256 5f06adb1d552e24218fc1da55f10ae46b42ea0748c3ba478d6eb8bc7deaba51c
SHA512 6c56aea84ca50c129d812c24032ee31f92c9c1b9f12e3b2fded73aff1e3da42f25eb1150fc961162e55201fe4710447b0e17d1fced5373d23751037347a16de2

memory/2748-983-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fcfe5c0351a4fdae141f55e9e8c7d472
SHA1 65166f682caefe58089cc1ba6cc6d1c956628f97
SHA256 064cb11ca57126e87fd60495084907f241ed2dedb32e62651cf484b45e7f836a
SHA512 a61ad3df7d10423a23227b2576d37c7979f04bcea27309b6b1180a202cb783d95316eaf212454aca4cdff7753dad893a47cdd903cbb15fc29f12ee90dc153033

memory/2748-994-0x0000000000E00000-0x0000000001CFA000-memory.dmp

memory/4692-995-0x0000025B26140000-0x0000025B26141000-memory.dmp

memory/4692-997-0x0000025B26140000-0x0000025B26141000-memory.dmp

memory/4692-996-0x0000025B26140000-0x0000025B26141000-memory.dmp

memory/4692-1007-0x0000025B26140000-0x0000025B26141000-memory.dmp

memory/4692-1006-0x0000025B26140000-0x0000025B26141000-memory.dmp

memory/4692-1005-0x0000025B26140000-0x0000025B26141000-memory.dmp

memory/4692-1004-0x0000025B26140000-0x0000025B26141000-memory.dmp

memory/4692-1003-0x0000025B26140000-0x0000025B26141000-memory.dmp

memory/4692-1002-0x0000025B26140000-0x0000025B26141000-memory.dmp

memory/4692-1001-0x0000025B26140000-0x0000025B26141000-memory.dmp

memory/2748-1008-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9719e28fc6ce6767173f6481480d8a1c
SHA1 26e0b0a4759134b6dd2e48574c738f92ac6cbee2
SHA256 5bb49d952d8436f3db40fb0b497245d4984cec721a5005708f5588d2dd63aeb1
SHA512 88da54f35514ef0b7ff6309f91216fd7e37f58c5a0b0f5fd005bba9ab1f98515a4132cb153c71af96b8bc7c954744dab226204c97162993e8ceebefb4a5f5934

memory/2748-1027-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f710384ffa34bf60639b71d111a8f9ef
SHA1 2104c6ba37b1227574b11f203c3fb9398f3738c0
SHA256 019a05ca2a16bb33457d2e3900e58ba1ed826fd711ae8991dd28e15177e9db5c
SHA512 99116621f52ed1343c17f4bb6f80d8e67a83c39e404ad7622d62430a2a22854f7a8a75b5ede108b77e7a8e6bcecd9cdf50b4fd14fb4939e0365c1ab2ade66542

memory/2748-1037-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7bf98efc4de60138753977d502ecf8e3
SHA1 a27014ba4c2449567a4f73d0665ae5849be21298
SHA256 ba672fabdad867fb450dc84a49e31875798e985b52c12ad11175cd61be3aef0f
SHA512 e45870c39921ddf933c456ec5526facc064bf2e26a4e2bff08d2afb8163459686e0261296481929d90aa358db80a980e10b8cef5080974bab50878d36d524b55

memory/2748-1058-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a82c00ac1b013b456fcc597366b11ff1
SHA1 6dcacc8f456943b061720b11441365bd306d88ff
SHA256 c850f434174a519d5795a720215ab33c691addaad04e0dc7de7acee206a03b74
SHA512 196942d3b31fbd500c08c594bc4203918df92c7df2c934b7fec8f0bac7a8d884ac41ea1e906e6ed2490a23ff6a99601c3db6a4a04169c816f32d4ad02ea130ac

C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.zip

MD5 e02374dfa8c4116e7e998760258c94b5
SHA1 1ca124f838426e59f231fe43da307bc97452cf73
SHA256 6c30caa94e99cf04555454a22823441751663470420d845090db3c8fbfeb707e
SHA512 cf27b63130b832615b70957f35f9ed9f7cc6c76389d50caf26a96a8cf422a1c74a617f3bc57d651d523057c823f461a9cefe78e166e6fa2c2e58cb1de28501d9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4f711a1709cd953302468a2288ebb842
SHA1 1b0ac797776d47edf7112bcceafb0e3c29b702c6
SHA256 ac9ef0329ef18a3d661302a3ed54bafae2e2a30b0161ad392583655d22b02e9f
SHA512 206d7e848c42e5eebd0142806660d9c608522869166a96c9affd87f3cce199a8f58eaf4889fcc6cef6272eee61da70f8258a534a849a2f60b962ea43bb559126

memory/2748-1081-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

MD5 6bd343c44cf6d76070e06c2c49535e1a
SHA1 aae7c4df5275e772eeed9aa0338c4685d7ae6bc9
SHA256 12f7933b9b9bd967fdce7cdc2bfed80340041dac05612cc3f272ae1a589b6f17
SHA512 45309f665359f6c36f8f2b62bf37693f2d50989578431af41165c9f3054f5ba20920c52f50fb4065f2fc188d312ad091bc76ee6ebb5ebf5741d7bef21d6e0575

memory/2748-1093-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7.exe

MD5 3504dd5ccaedef6d34d7e9090458e58b
SHA1 7b73993fb07c0b16171bad449e49c9344ca87d6a
SHA256 f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7
SHA512 837d045dc044b881e969c0a4dbf34b178142733a26c38f38f56f442aab5e3bb3d2bad8094a00f99575ab4417a4bc04ebb669552d9704a32793a88e0df8e9e19e

memory/3104-1099-0x0000000000430000-0x00000000004B0000-memory.dmp

memory/3104-1100-0x0000000004D70000-0x0000000004E02000-memory.dmp

memory/3104-1101-0x0000000004F10000-0x0000000004F76000-memory.dmp

memory/3104-1102-0x0000000004F80000-0x0000000004FF6000-memory.dmp

memory/3104-1103-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

memory/2748-1104-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3a1372c71a46f41badb00297dfe73931
SHA1 8a054df5d150360c4cfa12d6ff6220712472a945
SHA256 9fae50fc52f3487ebc14aff3263ce1d7e0817da4407460ef1e7b693381ee0a12
SHA512 3fb34f681b7f87ff610b89d3efea85c522abbdcc101e774277c044f17f3c1263fd676bc31e9bc14a141c6d54fcee5575f0dd1178bb511f94bcbfdd5e85a435da

C:\Users\Admin\Downloads\f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7\logs.txt

MD5 d2629d656fd422a1ff0c1b678fdc88c9
SHA1 a8c603c0f3ad4124a1b23a3da418e4e4c74adbf9
SHA256 b75488571b15f288ca3fe2dad78bfe2bd734848d694719ead49bb42237daec9a
SHA512 a84a83124db3f04899cbd3bf7fa658d5e488eb4f23ec5b5c8153cc0cd06e2f61d9c0f3533e8f5f2c578afe8f2a1ca66a3069d1ba07348b3e783ebd87a67653ad

memory/2748-1116-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d6131f5c8e2d70f3e503070167fd1957
SHA1 20815170468611bd0f219a067f917454c6cbbff1
SHA256 2ae55f266186974d8679bf7e0ec3864322cbe9082d9703d4ca9e75b418306be8
SHA512 8b8d15b513db7bb553a01833501edf7929a9530ba72b6fde8a25d2211d4cbbc300a6f22d2771d5409143a9169fec191a8d1293f84d8f00968b9f0ee3bc5a3572

memory/2748-1126-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1dc043e0d8a662088b19227232ea37eb
SHA1 31e79b67f26252d2f40d4f6f320b6119c7a16ab7
SHA256 3663816dff2f4ac64a5c09e72fbed4dcd021b9e6a3600abb23550c1cec361267
SHA512 5192af6c9f713f027225233a3b38d2f43493ff3c0b5be17c125692cc71104d54111654423760272d5afa1f4d314011c640f5763e17aa687871ef54ce0e33e915

memory/2748-1137-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\Desktop\Cpriv.Loki

MD5 1c785b15fd54ecf6034019630ab71b36
SHA1 5e35afe579e4e4c21405aed513f64c5d5d99fa63
SHA256 76cf053885f43735838e5db146a7d27d096efc62f666fe5a4bd2ca330ed1aefc
SHA512 17db36eff473926bb7fc5c5e29d682048b30fd4ab250b5a86ae68bdca06dad1dead2c69d8d4bd874dbac396174984fc9e3606f79d6218cb2a7cf0f481770efa8

\??\c:\Users\Admin\AppData\Local\Temp\lxia11mm\lxia11mm.cmdline

MD5 c3e3b4a564513cc54ed9a7d37c632310
SHA1 465622d2c6063b8b640befd1e662a1599ae88a6b
SHA256 93c9c74eac763a4437962fa20bc3cadbf8d259fb8cbd8a9a3d04c44eb06fc636
SHA512 7f9798d965f4ce6be9047ae29ecba1c5fb29c59beadcd0698cd292e17924ccb3fd3de2fa4b7181d1b2eebb63c19e6413535f3180160f9859c2871d5ff65617c6

\??\c:\Users\Admin\AppData\Local\Temp\lxia11mm\lxia11mm.0.cs

MD5 1c1cb94e10a99f0c467dab4104f3a988
SHA1 4be89edc3543bc2066c43c80804524604abe4d1d
SHA256 55af44e6a4aafdfef681dcad9aadd3ad13409a026b28213534d0a14d8733a638
SHA512 9b633422dd8ed37d7bb5eeabd2cd93d6ec89831676e08ebf9914d4a2738405b8086bf563a43ddf07c451ae3486753b7bd7c5329838cddf82366e476e9f07c91a

memory/2748-1176-0x0000000000E00000-0x0000000001CFA000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\35huqanv.ico

MD5 dbc49b5f7714255217080c2e81f05a99
SHA1 4de2ef415d66d2bb8b389ba140a468b125388e19
SHA256 6d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c
SHA512 29a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb

\??\c:\ProgramData\CSCD1BAFB453BD5467DB198782833FE1055.TMP

MD5 b69d74f9dbe174fa268fa21625d6b8dd
SHA1 2ec55d29918c06f29a011289976b3726e9a1843b
SHA256 9eee2ad76d345bbde4441c87b3e958b130538ecbe32101ba5dfa99640fa6be02
SHA512 c4a067a6fa83e44207e1231a767c0df9a77648c0b5673498b1e4c21b6de430ec75a7a6e227694d50d56a06e6dc9205b153cbd7ff0e747700bd9d8683d3b06e71

C:\Users\Admin\AppData\Local\Temp\RESCD84.tmp

MD5 a35519b6ed8ac0ea1a0f53464d91f691
SHA1 4739630bbdadd5b8553c342dafdd5fa1a5088f6b
SHA256 fafb96361761a38f213c7d38ad0fc2172a63ced993aa1047aed3b65d441811af
SHA512 5daaa2defff79a31eab36d332af3e5686a1e3ce2617f814a456e28263b2fc41025fc90f298cdf343a5ba331d5082229235bf43f0b14f38046a31dbae0da687d5

C:\ProgramData\jlh1olim.exe

MD5 f3fd22a2f69520f73989d87443e49ddd
SHA1 bc8ae99be89a55ab1cb7693b02b1cf341810c5c6
SHA256 41f599505c67e65d33c26c4bf31df7e7bc5f4f9642a00b7abc550e51059b9223
SHA512 23cecb727f16dc0ecb1faf790e825bccf3780df5349c61ac8a3b5a092aa6739bbca07bf9b9c278a39311ddf5ea96a01c960f7898c260d9722f116c83033583ac

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 24ed9bdea2f245b6766dcc5dbb52c74e
SHA1 8850a6d5a614eef05ebf648fc75a0842650186b0
SHA256 b446bdd68795955fb57a4fe8ae4ab01ea63a3c2cc4a651617cd2a0523c84d905
SHA512 fededbb403b19d4fa98411997cb13d694d278f45591242d5690718c0393f0bf4dfa54f1d2e1430965a7ed167439a6c6c643dc38be06d70fd36a9c0cc98a371c4

C:\Users\Admin\Downloads\CMDWatcher_v0.4\logs.txt

MD5 4124a04d512a06074f423b73b053c8e1
SHA1 b03c41f580adb8549eb810de2b7b5d65af78d7b2
SHA256 1d0ae1097febb1526548c7dead1b6c5fb973cc8c0499f66b5a2be916db21c215
SHA512 86d556f76298c8b3f976001786f880e34fa23c684973699f7ef5a951169b0043d37141f1e871027eccf2873cb18fbbd81a6e710e029cbe4eebfe49f3bc0dc1f8

memory/2748-1211-0x0000000000E00000-0x0000000001CFA000-memory.dmp

memory/2748-1221-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\Documents\Restore-My-Files.txt

MD5 eb5795b0295395fe03049b93bfa8da80
SHA1 f04a32d19c0d190a3eac307d5c5ab137ee7fc8e9
SHA256 fedcd29b8449fcf13a8056bd9cda9ee3bdc7e5cbcb750a41408a8365fe57203d
SHA512 0abffd62c1a4ff5ec999b799e78f43344c32127e086510a91f42a4c9f4ab8c7512a7b710f0ee3799d56efe297c36b1518b7157501a174abf2d632e9232abe70b

C:\Users\Admin\Downloads\CMDWatcher_v0.4\logs.txt

MD5 f92e49e3df2f9e4f9214f2217e738636
SHA1 149488b4ba75ed13866e2a3a9de65ed8aaf540cf
SHA256 df3d29bea58db0dee2a17c8e858b8752a2fe1b00bd10d2cf6041fefa00afc866
SHA512 30b0516997a427039ddce9afb4561812142da9c052b360fd199df660f85206334225dc927e0630ea3df87d4b6413173f399ac462d836b7ff0c8eb78264b2cdeb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6a3ad07a80e8a4f928a74a0bd9f439a0
SHA1 2e03ceaefb8404d4961dc394a7f9d2f7bd9c880f
SHA256 14a67725b9632e479b08713e5ccd24ed268524b87d376ec2f34b9b8ce060714d
SHA512 6f2c4af47cef667c0588c92299b82b1299a068f798cbba17e86051a2b02235424361eeb7df57fe744545d903df0c5ea9070f35ef86a21055e699db27bce8da16

memory/2748-7948-0x0000000000E00000-0x0000000001CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 166076d33ccef830268eef19ebed373b
SHA1 e86614c5db99b78955e529a270b3a362cb450758
SHA256 a5f79218b386b1066d3fed6e3c7335a829422a8fc991d09cad1417a558138263
SHA512 e6c9ad146f50b510f9d41d39e16be5a0c7af98b63a3ee1a4ea29a848308c573f294222c47351a1d7a0817ea96e8cae94798f47c9a4099b5fff6abdc3029ac1ec

memory/2748-16313-0x0000000000E00000-0x0000000001CFA000-memory.dmp