Overview
overview
10Static
static
3Help/en-US...ts.rtf
windows11-21h2-x64
10Help/nvcpl/nv3d.chm
windows11-21h2-x64
1Help/nvcpl...ra.chm
windows11-21h2-x64
1Help/nvcpl...an.chm
windows11-21h2-x64
1Help/nvcpl...eu.chm
windows11-21h2-x64
1Help/nvcpl...ll.chm
windows11-21h2-x64
1Help/nvcpl...ng.chm
windows11-21h2-x64
1Help/nvcpl...sn.chm
windows11-21h2-x64
1Help/nvcpl...in.chm
windows11-21h2-x64
1Help/nvcpl...ra.chm
windows11-21h2-x64
1Help/nvcpl...eb.chm
windows11-21h2-x64
1Help/nvcpl...un.chm
windows11-21h2-x64
1Help/nvcpl...ta.chm
windows11-21h2-x64
1Help/nvcpl...pn.chm
windows11-21h2-x64
1Help/nvcpl...or.chm
windows11-21h2-x64
1Help/nvcpl...ld.chm
windows11-21h2-x64
1Help/nvcpl...or.chm
windows11-21h2-x64
1Help/nvcpl...lk.chm
windows11-21h2-x64
1Help/nvcpl...tb.chm
windows11-21h2-x64
1Help/nvcpl...tg.chm
windows11-21h2-x64
1Help/nvcpl...us.chm
windows11-21h2-x64
1Help/nvcpl...ky.chm
windows11-21h2-x64
1Help/nvcpl...lv.chm
windows11-21h2-x64
1Help/nvcpl...ve.chm
windows11-21h2-x64
1Help/nvcpl...ha.chm
windows11-21h2-x64
1Help/nvcpl...rk.chm
windows11-21h2-x64
1Help/nvcpl/nvcpl.chm
windows11-21h2-x64
1Help/nvcpl...ra.chm
windows11-21h2-x64
1Help/nvcpl...hs.chm
windows11-21h2-x64
1Help/nvcpl...ht.chm
windows11-21h2-x64
1Help/nvcpl...sy.chm
windows11-21h2-x64
1Help/nvcpl...an.chm
windows11-21h2-x64
1Analysis
-
max time kernel
463s -
max time network
462s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-10-2024 16:06
Static task
static1
Behavioral task
behavioral1
Sample
Help/en-US/credits.rtf
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Help/nvcpl/nv3d.chm
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
Help/nvcpl/nv3dara.chm
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
Help/nvcpl/nv3ddan.chm
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
Help/nvcpl/nv3ddeu.chm
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
Help/nvcpl/nv3dell.chm
Resource
win11-20241007-en
Behavioral task
behavioral7
Sample
Help/nvcpl/nv3deng.chm
Resource
win11-20241007-en
Behavioral task
behavioral8
Sample
Help/nvcpl/nv3desn.chm
Resource
win11-20240802-en
Behavioral task
behavioral9
Sample
Help/nvcpl/nv3dfin.chm
Resource
win11-20241007-en
Behavioral task
behavioral10
Sample
Help/nvcpl/nv3dfra.chm
Resource
win11-20241007-en
Behavioral task
behavioral11
Sample
Help/nvcpl/nv3dheb.chm
Resource
win11-20241007-en
Behavioral task
behavioral12
Sample
Help/nvcpl/nv3dhun.chm
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
Help/nvcpl/nv3dita.chm
Resource
win11-20241007-en
Behavioral task
behavioral14
Sample
Help/nvcpl/nv3djpn.chm
Resource
win11-20241007-en
Behavioral task
behavioral15
Sample
Help/nvcpl/nv3dkor.chm
Resource
win11-20241007-en
Behavioral task
behavioral16
Sample
Help/nvcpl/nv3dnld.chm
Resource
win11-20241007-en
Behavioral task
behavioral17
Sample
Help/nvcpl/nv3dnor.chm
Resource
win11-20241007-en
Behavioral task
behavioral18
Sample
Help/nvcpl/nv3dplk.chm
Resource
win11-20241007-en
Behavioral task
behavioral19
Sample
Help/nvcpl/nv3dptb.chm
Resource
win11-20241007-en
Behavioral task
behavioral20
Sample
Help/nvcpl/nv3dptg.chm
Resource
win11-20241007-en
Behavioral task
behavioral21
Sample
Help/nvcpl/nv3drus.chm
Resource
win11-20241007-en
Behavioral task
behavioral22
Sample
Help/nvcpl/nv3dsky.chm
Resource
win11-20241007-en
Behavioral task
behavioral23
Sample
Help/nvcpl/nv3dslv.chm
Resource
win11-20241007-en
Behavioral task
behavioral24
Sample
Help/nvcpl/nv3dsve.chm
Resource
win11-20240802-en
Behavioral task
behavioral25
Sample
Help/nvcpl/nv3dtha.chm
Resource
win11-20241007-en
Behavioral task
behavioral26
Sample
Help/nvcpl/nv3dtrk.chm
Resource
win11-20241007-en
Behavioral task
behavioral27
Sample
Help/nvcpl/nvcpl.chm
Resource
win11-20241007-en
Behavioral task
behavioral28
Sample
Help/nvcpl/nvcplara.chm
Resource
win11-20241007-en
Behavioral task
behavioral29
Sample
Help/nvcpl/nvcplchs.chm
Resource
win11-20241007-en
Behavioral task
behavioral30
Sample
Help/nvcpl/nvcplcht.chm
Resource
win11-20241007-en
Behavioral task
behavioral31
Sample
Help/nvcpl/nvcplcsy.chm
Resource
win11-20241007-en
Behavioral task
behavioral32
Sample
Help/nvcpl/nvcpldan.chm
Resource
win11-20241007-en
General
-
Target
Help/en-US/credits.rtf
-
Size
710KB
-
MD5
05b931430fd173bd22900dbaa8bbff10
-
SHA1
af5176ee28dba4777e4ba3bd9351e5acb402b9f3
-
SHA256
3ce703c36dfc6282c22991519309b921ae8f5b2653561ff3f9c1617dc2d6674e
-
SHA512
e3fbecb7637bdcbf6045140dfd3359529d223e42ff8b03c1883b8011d9dde307f36e7cf1a4b56baa76e052314baf89a03e1f6036e9a443160db394ddd45fe55e
-
SSDEEP
6144:HMgRS450MZ1cMa0C6byUnw1ZD63iT/r7Dd0ypdUSKi8Sl:HMgs4CMZ1cMa0C6B2DY0T7Ddd/USKi86
Malware Config
Extracted
vidar
11.1
467d1313a0fbcd97b65a6f1d261c288f
https://steamcommunity.com/profiles/76561199786602107
https://t.me/lpnjoke
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Signatures
-
Detect Vidar Stealer 17 IoCs
resource yara_rule behavioral1/memory/5500-1217-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1226-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1227-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1235-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1236-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1240-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1243-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1241-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1244-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1248-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1249-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1265-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1266-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1288-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1289-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1302-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 behavioral1/memory/5500-1303-0x0000000000400000-0x0000000000676000-memory.dmp family_vidar_v7 -
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/4872-1672-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4872-1673-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4872-1670-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4872-1671-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4872-1669-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4872-1667-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4872-1666-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/4872-1674-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 6020 powershell.exe 3664 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts DGCFHIDAKE.exe File created C:\Windows\system32\drivers\etc\hosts Updater.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 21 IoCs
pid Process 6088 winrar-x64-701.exe 5160 winrar-x64-701.exe 1460 7z2408-x64.exe 5640 7zFM.exe 5472 S0FTWARE.exe 5760 DGCFHIDAKE.exe 6052 AAAAECGHCB.exe 3012 Updater.exe 4796 S0FTWARE.exe 2320 S0FTWARE.exe 2056 service.exe 5384 S0FTWARE.exe 4440 CheatEngine75.exe 4612 CheatEngine75.tmp 5592 CheatEngine75.exe 104 CheatEngine75.tmp 3172 _setup64.tmp 5460 Kernelmoduleunloader.exe 2992 windowsrepair.exe 1120 Cheat Engine.exe 5304 cheatengine-x86_64-SSE4-AVX2.exe -
Loads dropped DLL 12 IoCs
pid Process 3260 Process not Found 5640 7zFM.exe 5500 BitLockerToGo.exe 5500 BitLockerToGo.exe 4612 CheatEngine75.tmp 5304 cheatengine-x86_64-SSE4-AVX2.exe 5304 cheatengine-x86_64-SSE4-AVX2.exe 5304 cheatengine-x86_64-SSE4-AVX2.exe 5304 cheatengine-x86_64-SSE4-AVX2.exe 5304 cheatengine-x86_64-SSE4-AVX2.exe 5304 cheatengine-x86_64-SSE4-AVX2.exe 5304 cheatengine-x86_64-SSE4-AVX2.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4216 icacls.exe 2632 icacls.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks for any installed AV software in registry 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser\Installed CheatEngine75.tmp Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed CheatEngine75.tmp Key opened \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\SOFTWARE\Avira\Browser\Installed CheatEngine75.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 89 bitbucket.org 95 pastebin.com 297 bitbucket.org 307 pastebin.com -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 5888 powercfg.exe 1716 powercfg.exe 2988 powercfg.exe 3248 powercfg.exe 5576 powercfg.exe 6056 powercfg.exe 1968 powercfg.exe 3580 powercfg.exe -
Drops file in System32 directory 46 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM32\kernel.appcore.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\bcryptPrimitives.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SYSTEM32\apphelp.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\RPCRT4.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\user32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\imm32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\ws2_32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\clbcatq.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\combase.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\SHLWAPI.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\KERNEL32.DLL cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\GDI32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\uxtheme.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\winmm.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\dxcore.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\explorerframe.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\MRT.exe DGCFHIDAKE.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\System32\win32u.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\shcore.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\version.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\hhctrl.ocx cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\ntdll.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\advapi32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\opengl32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\windows.storage.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\msvcrt.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\sechost.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\ole32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\comdlg32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\PROPSYS.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\wininet.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\GLU32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\MRT.exe Updater.exe File opened for modification C:\Windows\System32\KERNELBASE.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\gdi32full.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\shell32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\psapi.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\wsock32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\msimg32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\MSCTF.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\oleaut32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\msvcp_win.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\System32\ucrtbase.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\wintypes.dll cheatengine-x86_64-SSE4-AVX2.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 5472 set thread context of 5500 5472 S0FTWARE.exe 170 PID 3012 set thread context of 5652 3012 Updater.exe 231 PID 3012 set thread context of 4872 3012 Updater.exe 234 PID 4796 set thread context of 4496 4796 S0FTWARE.exe 238 PID 2320 set thread context of 1052 2320 S0FTWARE.exe 244 PID 5384 set thread context of 5916 5384 S0FTWARE.exe 247 -
resource yara_rule behavioral1/memory/4872-1661-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4872-1662-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4872-1664-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4872-1672-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4872-1673-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4872-1670-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4872-1671-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4872-1669-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4872-1667-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4872-1666-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4872-1665-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4872-1663-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/4872-1674-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Cheat Engine 7.5\dll\LFS.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\Cheat Engine 7.5\win32\symsrv.dll CheatEngine75.tmp File opened for modification C:\Program Files\Cheat Engine 7.5\clibs64\lfs.dll CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\win64\is-SA1NL.tmp CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\is-1LKSC.tmp CheatEngine75.tmp File opened for modification C:\Program Files\Cheat Engine 7.5\gdi32full.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\Cheat Engine 7.5\symbols\dll\Kernel.Appcore.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\Cheat Engine 7.5\nsi.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 7z2408-x64.exe File created C:\Program Files\Cheat Engine 7.5\include\winapi\is-AAO9G.tmp CheatEngine75.tmp File opened for modification C:\Program Files\Cheat Engine 7.5\dll\psapi.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\Cheat Engine 7.5\opengl32.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\Cheat Engine 7.5\iphlpapi.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 7z2408-x64.exe File opened for modification C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\is-O0N5J.tmp CheatEngine75.tmp File opened for modification C:\Program Files\Cheat Engine 7.5\dll\user32.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\Cheat Engine 7.5\DLL\winnsi.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 7z2408-x64.exe File created C:\Program Files\Cheat Engine 7.5\include\winapi\is-KQ8O7.tmp CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-C8D3M.tmp CheatEngine75.tmp File opened for modification C:\Program Files\Cheat Engine 7.5\speedhack-i386.dll CheatEngine75.tmp File opened for modification C:\Program Files\Cheat Engine 7.5\imm32.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\Cheat Engine 7.5\dll\winhttp.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 7z2408-x64.exe File created C:\Program Files\Cheat Engine 7.5\languages\is-6O1CG.tmp CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-JNI3B.tmp CheatEngine75.tmp File opened for modification C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\Cheat Engine 7.5\glu32.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt 7z2408-x64.exe File opened for modification C:\Program Files\Cheat Engine 7.5\win64\symsrv.dll CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\is-09CLS.tmp CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-UFKQI.tmp CheatEngine75.tmp File opened for modification C:\Program Files\Cheat Engine 7.5\combase.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\Cheat Engine 7.5\mswsock.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\Cheat Engine 7.5\gdi32.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\Cheat Engine 7.5\dll\fwpuclnt.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\Cheat Engine 7.5\tcc64-32-linux.dll CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\include\is-9G3PU.tmp CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\autorun\is-NLU7M.tmp CheatEngine75.tmp File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 7z2408-x64.exe File opened for modification C:\Program Files\Cheat Engine 7.5\d3dhook64.dll CheatEngine75.tmp File opened for modification C:\Program Files\Cheat Engine 7.5\dll\oleaut32.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 7z2408-x64.exe File created C:\Program Files\Cheat Engine 7.5\is-FNE7L.tmp CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\include\winapi\is-J8HLU.tmp CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\include\winapi\is-HF48A.tmp CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\autorun\is-5GCD9.tmp CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\badassets\is-C58C9.tmp CheatEngine75.tmp File opened for modification C:\Program Files\Cheat Engine 7.5\uxtheme.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\Cheat Engine 7.5\ced3d9hook.dll CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\include\is-48P2I.tmp CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\include\sec_api\is-ECR5O.tmp CheatEngine75.tmp File opened for modification C:\Program Files\Cheat Engine 7.5\tcc64-64.pdb cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Program Files\Cheat Engine 7.5\d3dhook.dll CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\is-MF86S.tmp CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\badassets\is-CK3ML.tmp CheatEngine75.tmp File opened for modification C:\Program Files\Cheat Engine 7.5\XInput1_4.pdb cheatengine-x86_64-SSE4-AVX2.exe File created C:\Program Files\Cheat Engine 7.5\is-IG5J3.tmp CheatEngine75.tmp File created C:\Program Files\Cheat Engine 7.5\autorun\is-G7ECJ.tmp CheatEngine75.tmp -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\Crashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\Crashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467\comctl32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SystemTemp chrome.exe -
Launches sc.exe 16 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1340 sc.exe 2868 sc.exe 3044 sc.exe 5944 sc.exe 2420 sc.exe 5020 sc.exe 2948 sc.exe 5816 sc.exe 5464 sc.exe 5568 sc.exe 5268 sc.exe 4604 sc.exe 3108 sc.exe 5440 sc.exe 2840 sc.exe 2464 sc.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier chrome.exe File created C:\Users\Admin\AppData\Local\Temp\7zO8067346C\S0FTWARE.exe:Zone.Identifier 7zFM.exe File opened for modification C:\Users\Admin\Downloads\CheatEngine75.exe:Zone.Identifier chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7z2408-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S0FTWARE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kernelmoduleunloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cheat Engine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S0FTWARE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S0FTWARE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheatEngine75.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheatEngine75.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsrepair.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AAAAECGHCB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S0FTWARE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheatEngine75.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheatEngine75.tmp -
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BitLockerToGo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BitLockerToGo.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CheatEngine75.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ CheatEngine75.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BitLockerToGo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BitLockerToGo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BitLockerToGo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BitLockerToGo.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BitLockerToGo.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BitLockerToGo.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 6036 timeout.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 54 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133732228999032959" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2408-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2408-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2408-x64.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 50003100000000004759a8601000372d5a6970003c0009000400efbe4759a8604c5982812e000000d99e0200000004000000000000000000000000000000be86660037002d005a0069007000000014000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine CheatEngine75.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.CT CheatEngine75.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2408-x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Applications\7zFM.exe\shell OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2408-x64.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.CT\ = "CheatEngine" CheatEngine75.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon\ = "C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe,0" CheatEngine75.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER CheatEngine75.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER\ = "CheatEngine" CheatEngine75.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2408-x64.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 8c0031000000000047597963110050524f4752417e310000740009000400efbec55259614c59fd802e0000003f0000000000010000000000000000004a00000000009d870f00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open CheatEngine75.tmp Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon CheatEngine75.tmp Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2408-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2408-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2408-x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 OpenWith.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\S0FTWARE.rar:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier chrome.exe File created C:\Users\Admin\AppData\Local\Temp\7zO8067346C\S0FTWARE.exe:Zone.Identifier 7zFM.exe File opened for modification C:\Users\Admin\Downloads\CheatEngine75.exe:Zone.Identifier chrome.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 232 schtasks.exe 1396 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4980 WINWORD.EXE 4980 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3968 chrome.exe 3968 chrome.exe 2784 chrome.exe 2784 chrome.exe 2784 chrome.exe 2784 chrome.exe 4188 chrome.exe 4188 chrome.exe 5640 7zFM.exe 5640 7zFM.exe 5500 BitLockerToGo.exe 5500 BitLockerToGo.exe 5500 BitLockerToGo.exe 5500 BitLockerToGo.exe 5500 BitLockerToGo.exe 5500 BitLockerToGo.exe 6052 AAAAECGHCB.exe 6052 AAAAECGHCB.exe 5500 BitLockerToGo.exe 5500 BitLockerToGo.exe 5640 7zFM.exe 5640 7zFM.exe 5760 DGCFHIDAKE.exe 6020 powershell.exe 6020 powershell.exe 5760 DGCFHIDAKE.exe 5760 DGCFHIDAKE.exe 5760 DGCFHIDAKE.exe 5760 DGCFHIDAKE.exe 5760 DGCFHIDAKE.exe 5760 DGCFHIDAKE.exe 5760 DGCFHIDAKE.exe 5760 DGCFHIDAKE.exe 5760 DGCFHIDAKE.exe 5760 DGCFHIDAKE.exe 5760 DGCFHIDAKE.exe 5760 DGCFHIDAKE.exe 5760 DGCFHIDAKE.exe 5760 DGCFHIDAKE.exe 5640 7zFM.exe 5640 7zFM.exe 5640 7zFM.exe 5640 7zFM.exe 5640 7zFM.exe 5640 7zFM.exe 3012 Updater.exe 3664 powershell.exe 3664 powershell.exe 3012 Updater.exe 3012 Updater.exe 3012 Updater.exe 3012 Updater.exe 3012 Updater.exe 3012 Updater.exe 3012 Updater.exe 3012 Updater.exe 3012 Updater.exe 3012 Updater.exe 3012 Updater.exe 3012 Updater.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe 4872 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2092 OpenWith.exe 5640 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 43 IoCs
pid Process 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 4188 chrome.exe 4188 chrome.exe 4188 chrome.exe 4188 chrome.exe 4188 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 4188 chrome.exe 4188 chrome.exe 4188 chrome.exe 4188 chrome.exe 4188 chrome.exe 4188 chrome.exe 4188 chrome.exe 4188 chrome.exe 4188 chrome.exe 4188 chrome.exe 4188 chrome.exe 4188 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe 452 chrome.exe -
Suspicious use of SetWindowsHookEx 32 IoCs
pid Process 4980 WINWORD.EXE 4980 WINWORD.EXE 4980 WINWORD.EXE 4980 WINWORD.EXE 4980 WINWORD.EXE 4980 WINWORD.EXE 4980 WINWORD.EXE 4980 WINWORD.EXE 6088 winrar-x64-701.exe 6088 winrar-x64-701.exe 6088 winrar-x64-701.exe 5160 winrar-x64-701.exe 5160 winrar-x64-701.exe 5160 winrar-x64-701.exe 1460 7z2408-x64.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 5420 hh.exe 5420 hh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3968 wrote to memory of 3724 3968 chrome.exe 85 PID 3968 wrote to memory of 3724 3968 chrome.exe 85 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 2428 3968 chrome.exe 86 PID 3968 wrote to memory of 5052 3968 chrome.exe 87 PID 3968 wrote to memory of 5052 3968 chrome.exe 87 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88 PID 3968 wrote to memory of 4224 3968 chrome.exe 88
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Help\en-US\credits.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4980
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8fccccc40,0x7ff8fccccc4c,0x7ff8fccccc582⤵PID:3724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1816 /prefetch:22⤵PID:2428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1796,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:32⤵PID:5052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:82⤵PID:4224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:2628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:4204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:12⤵PID:1180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:82⤵PID:4640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4812,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:82⤵PID:1412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3760,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4268 /prefetch:12⤵PID:2512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3412,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:82⤵PID:3508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3424 /prefetch:82⤵PID:4780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4840,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4412 /prefetch:12⤵PID:2876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5000,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4500 /prefetch:12⤵PID:4664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4692,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5132,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:12⤵PID:3852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5312,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:12⤵PID:3888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5424,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5448 /prefetch:12⤵PID:4068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5608,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:4764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5612,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:4648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5748,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5736 /prefetch:12⤵PID:968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5880,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5920 /prefetch:12⤵PID:772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6132,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6096 /prefetch:12⤵PID:5040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6288,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6272 /prefetch:12⤵PID:2468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6436,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6412 /prefetch:12⤵PID:2848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6704,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6816 /prefetch:12⤵PID:3888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6308,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6948 /prefetch:12⤵PID:496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=7096,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6432 /prefetch:12⤵PID:3460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7252,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7268 /prefetch:12⤵PID:1080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7272,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7380 /prefetch:12⤵PID:2860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7280,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6156 /prefetch:12⤵PID:5300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=5524,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:12⤵PID:5420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=5556,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:5448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7200,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5440 /prefetch:82⤵PID:5512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7176,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5856 /prefetch:82⤵PID:5520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7092 /prefetch:82⤵PID:5824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6668,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7428 /prefetch:82⤵PID:5836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=6164,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:12⤵PID:5952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6792,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6584 /prefetch:82⤵
- NTFS ADS
PID:3640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=4728,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7220 /prefetch:12⤵PID:4204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6584,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3472,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:82⤵PID:5712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6064,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6536 /prefetch:82⤵PID:104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4564,i,9026157097766488655,9733164640032455349,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2528 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:5924
-
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6088
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2084
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:1656
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3344
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\324e77cedc3c4684a3c779195e583512 /t 6092 /p 60881⤵PID:4340
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5160
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\b5fbce5aa95d46008405c4167ecb4601 /t 5192 /p 51601⤵PID:852
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4188 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fccccc40,0x7ff8fccccc4c,0x7ff8fccccc582⤵PID:3760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=1936 /prefetch:22⤵PID:4492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1836,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=1972 /prefetch:32⤵PID:4684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=2392 /prefetch:82⤵PID:5860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:5820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:5124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3796,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4424 /prefetch:12⤵PID:5212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4560,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4544 /prefetch:82⤵PID:976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4584 /prefetch:82⤵PID:6100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4772 /prefetch:82⤵PID:3460
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
- Drops file in Windows directory
PID:2956 -
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6f8bf4698,0x7ff6f8bf46a4,0x7ff6f8bf46b03⤵
- Drops file in Windows directory
PID:4992
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4780 /prefetch:82⤵PID:4148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4600,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4636 /prefetch:12⤵PID:3408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3436,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:3256
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5220,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=5240 /prefetch:82⤵PID:3080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5248,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=5384 /prefetch:82⤵PID:8
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5540,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=5092 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:3804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3552,i,14202910914034482249,16847817186052788892,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=5216 /prefetch:82⤵PID:4696
-
-
C:\Users\Admin\Downloads\7z2408-x64.exe"C:\Users\Admin\Downloads\7z2408-x64.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1460
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:964
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2092 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\S0FTWARE.rar"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:5640 -
C:\Users\Admin\AppData\Local\Temp\7zO8067346C\S0FTWARE.exe"C:\Users\Admin\AppData\Local\Temp\7zO8067346C\S0FTWARE.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5500 -
C:\ProgramData\DGCFHIDAKE.exe"C:\ProgramData\DGCFHIDAKE.exe"5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:5760 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:6020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵PID:4940
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵PID:4316
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc6⤵
- Launches sc.exe
PID:5440
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc6⤵
- Launches sc.exe
PID:5464
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv6⤵
- Launches sc.exe
PID:2868
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits6⤵
- Launches sc.exe
PID:2420
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc6⤵
- Launches sc.exe
PID:2840
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
PID:6056
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
PID:5888
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
PID:3580
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
PID:1968
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"6⤵
- Launches sc.exe
PID:5020
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"6⤵
- Launches sc.exe
PID:5568
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
PID:2464
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"6⤵
- Launches sc.exe
PID:5268
-
-
-
C:\ProgramData\AAAAECGHCB.exe"C:\ProgramData\AAAAECGHCB.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f6⤵
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:232
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BKJKEBGDHDAF" & exit5⤵
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\timeout.exetimeout /t 106⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:6036
-
-
-
-
-
-
C:\ProgramData\GoogleUP\Chrome\Updater.exeC:\ProgramData\GoogleUP\Chrome\Updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3012 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1952
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:32
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:3044
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2948
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:5816
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:5944
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:4604
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:1716
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:2988
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:3248
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:5576
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:5652
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4872
-
-
C:\Users\Admin\Desktop\New folder\S0FTWARE.exe"C:\Users\Admin\Desktop\New folder\S0FTWARE.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4796 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4496
-
-
C:\Users\Admin\AppData\Roaming\service.exeC:\Users\Admin\AppData\Roaming\service.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1396
-
-
-
C:\Users\Admin\Desktop\New folder\S0FTWARE.exe"C:\Users\Admin\Desktop\New folder\S0FTWARE.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:1052
-
-
C:\Users\Admin\Desktop\New folder\S0FTWARE.exe"C:\Users\Admin\Desktop\New folder\S0FTWARE.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5384 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:5916
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\Readme.txt1⤵PID:196
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\Desktop\New folder\mui\0409\msdasc.chm1⤵
- Suspicious use of SetWindowsHookEx
PID:5420
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\8789efd845784e4083666814d4a057ca /t 4204 /p 54201⤵PID:1460
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:452 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8fccccc40,0x7ff8fccccc4c,0x7ff8fccccc582⤵PID:756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=1816 /prefetch:22⤵PID:924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=2124 /prefetch:32⤵PID:5260
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=2196 /prefetch:82⤵PID:4664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:4296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:3252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3580,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4424 /prefetch:12⤵PID:3132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4544,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4592 /prefetch:82⤵PID:5196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3784,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4724 /prefetch:82⤵PID:2936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4832 /prefetch:82⤵PID:4656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4912 /prefetch:82⤵PID:5948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3328,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4408 /prefetch:12⤵PID:3884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4992,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4312 /prefetch:12⤵PID:5660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4340,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4400 /prefetch:12⤵PID:5016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5044,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=4580 /prefetch:12⤵PID:3676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5268,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=5284 /prefetch:12⤵PID:4068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5508,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=5496 /prefetch:12⤵PID:1436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5640,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=5628 /prefetch:12⤵PID:2152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5648,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:2976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5908,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=5916 /prefetch:82⤵PID:5512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5952,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=6108 /prefetch:82⤵PID:5640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5352,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=3252 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:5904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5976,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=3108 /prefetch:82⤵PID:5780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5312,i,6137875749724700012,9320713688763767931,262144 --variations-seed-version=20241011-130141.903000 --mojo-platform-channel-handle=6024 /prefetch:82⤵PID:3612
-
-
C:\Users\Admin\Downloads\CheatEngine75.exe"C:\Users\Admin\Downloads\CheatEngine75.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\is-3J0T3.tmp\CheatEngine75.tmp"C:\Users\Admin\AppData\Local\Temp\is-3J0T3.tmp\CheatEngine75.tmp" /SL5="$8039E,29027361,780800,C:\Users\Admin\Downloads\CheatEngine75.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\is-SATBO.tmp\CheatEngine75.exe"C:\Users\Admin\AppData\Local\Temp\is-SATBO.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5592 -
C:\Users\Admin\AppData\Local\Temp\is-JAS3K.tmp\CheatEngine75.tmp"C:\Users\Admin\AppData\Local\Temp\is-JAS3K.tmp\CheatEngine75.tmp" /SL5="$A02BC,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-SATBO.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:104 -
C:\Windows\SYSTEM32\net.exe"net" stop BadlionAntic6⤵PID:3448
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BadlionAntic7⤵PID:716
-
-
-
C:\Windows\SYSTEM32\net.exe"net" stop BadlionAnticheat6⤵PID:4196
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BadlionAnticheat7⤵PID:1580
-
-
-
C:\Windows\SYSTEM32\sc.exe"sc" delete BadlionAntic6⤵
- Launches sc.exe
PID:1340
-
-
C:\Windows\SYSTEM32\sc.exe"sc" delete BadlionAnticheat6⤵
- Launches sc.exe
PID:3108
-
-
C:\Users\Admin\AppData\Local\Temp\is-EBNTH.tmp\_isetup\_setup64.tmphelper 105 0x3DC6⤵
- Executes dropped EXE
PID:3172
-
-
C:\Windows\system32\icacls.exe"icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)6⤵
- Modifies file permissions
PID:4216
-
-
C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe"C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5460
-
-
C:\Program Files\Cheat Engine 7.5\windowsrepair.exe"C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992
-
-
C:\Windows\system32\icacls.exe"icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)6⤵
- Modifies file permissions
PID:2632
-
-
-
-
C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5304
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:6072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:568
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
389KB
MD5f921416197c2ae407d53ba5712c3930a
SHA16a7daa7372e93c48758b9752c8a5a673b525632b
SHA256e31b233ddf070798cc0381cc6285f6f79ea0c17b99737f7547618dcfd36cdc0e
SHA5120139efb76c2107d0497be9910836d7c19329e4399aa8d46bbe17ae63d56ab73004c51b650ce38d79681c22c2d1b77078a7d7185431882baf3e7bef473ac95dce
-
Filesize
5KB
MD55cff22e5655d267b559261c37a423871
SHA1b60ae22dfd7843dd1522663a3f46b3e505744b0f
SHA256a8d8227b8e97a713e0f1f5db5286b3db786b7148c1c8eb3d4bbfe683dc940db9
SHA512e00f5b4a7fa1989382df800d168871530917fcd99efcfe4418ef1b7e8473caea015f0b252cac6a982be93b5d873f4e9acdb460c8e03ae1c6eea9c37f84105e50
-
Filesize
4.2MB
MD59fb8cc095e016caf986f28f61a4334ca
SHA12fb9680927038e17e9a12880fd59194936c611d0
SHA256369a92d10be574e4e96680100bba4bb8f1b94f23a129d04ce0cef93dbb4d92a1
SHA512305859908a8dbf87cfd09a12190469cf70f100992b72d04a335c5bbe284d1641e9294e1af26e49d2dafd3c4cd27e19f8216f8bd78d9bf225c6899496881904bb
-
Filesize
114KB
MD574e31ad3d4658c25e1976c975a81cd05
SHA1e097179fb90826ad9e69c46778f926ecef5e7ba0
SHA256f0a5d0ac62f32c9d557b1aad25c07070ce19b47b3bad036013ab06c97c049273
SHA512e8260d3ae5d2c8b34698e1e8656e8c4732ef23c0a38f94f41691add379f959d94540273614b2be6ea24235a87ce2fc01f0c91e2a2422cc3c74a49c5f3e49b8c0
-
Filesize
5.8MB
MD56c5765152f9720727f9693288b34a8b6
SHA1eabde5cbe6cd8de622dab56e892cd5f7a7373143
SHA256e2cbf154467a2592dfa9e86d6563f0d0d07ac148140ab2eac81790e916b1c4fb
SHA5129ecedd98e13dd27a92025e6e58cebfdc4f578cc97a2fc0daa3d2e4b13de08bf1f36f00cdee8c0ffb7de203a116f915e5d5cd067d8d3954c00a8a4b8c6378ccf4
-
Filesize
56KB
MD54b7244f90ecc1b24b4f23e2f7b409c69
SHA1bc7352a4e46efc1daae3936abdfc7a3ba3cdd19d
SHA256f1994c7d455bcc81c7f3d59450ea00afcd044b6cf65d916921df713200d4f0d5
SHA5128b229de2f089b4b5fc424ca7b861c1338c0bc7703d607e8ac1c9747cf8319eea87406073c81dd8665267832ceeebf3be616dd53f11776427b635d67ad27059b8
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
40B
MD546b257e2db3a3cab4fe4e8b36a53c612
SHA12327a773bca75530bc9bd7c74ef0ec3acbf99adf
SHA256e7c310337da9c0b11f73414f116c230092a508f82fe7a57d2fb80a16d1d0973f
SHA5126c9cdbac647aa323073edce54767cff14c7d54ae4b41034980833ccf8567d05985fb9a148772241f9a070622951af71e0cd943dddc1bbf445dc1c217393855e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3974b86e-0ac0-45a7-a8b4-9f6449893100.tmp
Filesize11KB
MD51b4ebc819c0f73ea58784cf089c9dd88
SHA193db951860e08b148ddb29ec429b59783b776ea6
SHA256f0e514ac17c9350ce39ea4534f90112aae4fccd4d785111cfa5969c6e0cdb370
SHA5120a7899889107fbedc30adcb12f2bbdd935d84fc9086192e10d486f87b76160551b45c25667b2a4ed83f186be9a6328ee1bb3faf332d6ff47a9a36d43ff095537
-
Filesize
44KB
MD5750fc797b5a0935d22e2a980bc024db8
SHA140f730fc4de715aa4fecdaca3b6bd221e26f122b
SHA256dee783a38567f99adea1aa259e3d04c17da83ce46c89d49e8cbc6ec8a66d29e4
SHA5123354aa573b80fa691d30967eff7c6b579fb1c23c47838b40193c01dd7fdbcb26a93d15d8b8ece8dc4d4b44b04ac9b4e2f48dbb910e1e6640d03846c49e1c00f7
-
Filesize
264KB
MD545272538f1ee2a1f13ce4d33e6619740
SHA13d40322f149cb95536a8509d69cb60a25862f9c5
SHA25691bf612098f419b1a6eb924e4eaa2f59e15430633385bd217c34c3891cf6b90b
SHA5123ec6dd9c4f9289a645360a68ad5b9a09542cd0e632539d56b1a7ba0047b922caee2c0371d88efc0f1a2ee1c57c57736f4e2825eeda950ee590add359c59ab944
-
Filesize
1.0MB
MD5310b793dc0367a5f93e3e15b022723a1
SHA19de8cdf88d0c8575fd95347cdf3ab7b0f1ca9174
SHA25619f6a4cc910d8e929171e3ae7ebbb230cd541b91ef7a630b485d957d31dd5327
SHA512b0a857bff632bf82e76ed55800bd86f64867989d9a11bc6cae1685ee87c9246a4d15b7a6f4cb9402d8f18735a366a018a6b25b5d97b3b96a27a18096403b51a2
-
Filesize
2KB
MD55b33ebb6dbcd20948004c8193bf0fd6d
SHA1aa7c206fc99229b483dd0fad6e54628dc1fc3b77
SHA25605c6ce96e9a2dfab2bdabf8c073d03955f8538c9031e7742f66eaed823d478f5
SHA512664b52e9749a5a4cd092f8ac280a9193e1e102a9a813fc145264ebff8ebf8ba2c47a12e31060b4094e17d5005efe95ceac417732d6bf6d476476f1fbedec8dc4
-
Filesize
1KB
MD5b2ad05c052b86f9c5fc1d938ded463c0
SHA1521fea8e764416895ff0a5d976cc7cdf0f2e2c52
SHA256a62b6c15b9a325b6c0d377e4331bf7bfdcfb6ff6cc989bafb064967c75d484c2
SHA512f400aba3ad7e423a4c0483c18e9f9271544a9115cecfcaa7cba1f1a18f1d194e8f96869d307f71f2b86cb8611f259ffb5a06ca8e086b2ff26249e800faaaa7cb
-
Filesize
1KB
MD5d0eb0a97f92a9d7e05206c2c3ab617c0
SHA167daac488e5f0952711539729ab2e34f4ff98d44
SHA256513f7ebc9e0445873121f86766429b6673f73432dad93170dfd9d7dc004314d1
SHA5127664970ddfa531459dc2f959ec5a93689c3d51c9d3e8d7a4575123092c655a901ffce72ad7f49652d21ee6188223a04c9cf31e8998cd675a307fdf0d2b0de495
-
Filesize
1KB
MD58f06ecc3200e60b04e2545e1e6428670
SHA145c3c51d4888009d5deff52d0b3fe668216fadf1
SHA256eb1f3b8f66e3e3188314ef0fb8c7098cf3acba841af317ee18868db631837d0c
SHA5128a9c5d232f780836b1cf2cea006478d96252d40cc80ab6ff85f98db3c0cea5790654934b5d50341d77a5e1ec061496c43a327f08ebeae0eb212e0fe997591939
-
Filesize
264KB
MD54e2b2228f837e3dc3113693e40786df9
SHA19a11827ca6381e59a62a6f9023fd66408a93ec3e
SHA2561838e84710c864ce624130479a7d8d258af491b3ff5d0f623074eb6f77f62b8b
SHA512871769465d40d432193cb023087726aecd8ef33913b3ea06844cd60f775880c49708f528cb3587c4fa6f9c857c0f05b1d8de23ffcae2efb44a58bd62031fba97
-
Filesize
288KB
MD5d907f3552aebfe255a27a88e452f59b2
SHA18787356022428ed3197072218c256871f14e980e
SHA256dfedea39c01d0bde1ee93c8b2bdae2e72d0b487d3d193b414bdcb5b0eb08efda
SHA512dad3aa0a7a47940d0d41ef2d45d9f48bd67104078c21dd207bbcf56bd8187ac11730a0ad49f98745f2562a89ec4b406810e3523ef048f8db8f1a9460ed58ca40
-
Filesize
19KB
MD5bbef7b3859b9051afeee2c86736fca0a
SHA105956329997782c8bd6bb5b46f66c3dfa8c3a4c2
SHA25648f8c25def99b4223d09a8fe033f1a69a8fd6a79919e400245747343afab3056
SHA512c3b2fe3a0dc8e3c84d09e524789c6ac04a5c5e35279a1f26b23b132ee35969cd457b731abc064b39815cf6c48c2d7b39badad7fddda1d9f1f4d363533f7a192a
-
Filesize
22KB
MD53bc14c7df2a56580adb90cb79eb8c84d
SHA1b027223321cfdb977f0d11a7b29338b52af1035f
SHA256a27eb53d1adaa23bd05a49c6a7ec63cff75c6557c4475a2d3d1696712e9be11f
SHA5123383511b687081f7a37240819e9aa776f84f1c8f6707269830b9164be9a6d49eb4fa418fb824ffafcd472798a4a68626c80e36c4a6107d99a68d32288ce3c19c
-
Filesize
23KB
MD55c8aa7f6d10b9e2860e675c9a0506a3b
SHA131ac8d8b9a43411988ac3f9ee9d565c4fe702e01
SHA2569e08067308f3a17bc50388ec6b62da6759a24db3067441892a8b1091b1a43575
SHA51261b2ca5c294ae9e386a7b314eab73783dc74489b4e9a0fd4ed2a971ce0879e3a91594bb2782aa08d1ed821618c39b9e08a4e562a9d6d69533dcb58874921c7e8
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
3KB
MD53e397732eaa76ecb7cd9bd94dee26a78
SHA15a11b8fbc06d5be932d07584927df33545e151da
SHA256b5973bb0b7907c39cab04850d2ea908854b89e16040cf27e96d7804c51e59590
SHA512ddb34d1adfc0be41c86696278aae517f356793419e0171ba22dd199dee2e3ad830d38e3e08fbd099e519775c8d17c8f095f9efc9f1ad288e6685403fdb82c00e
-
Filesize
356B
MD54b591683820cc039aba75dc97d78f5fc
SHA1f28ec731bc591d3640cbe37e50c8f5957bc5e67f
SHA2568e0c345040e25e68192161792bf1fbdd2dabc12d078843d4aee295f2019fe31f
SHA512be02f5c7bd0daa376d0b51c03f8d67648494c5cefcfbd44145e9864cf3ac372c065f0f7b1daf5a7c6b86ee8f26064511b2ea6eecefa277cd1c68d413cf3e78ab
-
Filesize
2KB
MD5685c5a8467580fc0313f88b4db93bedc
SHA15f00a2b2161c140499f3b0482d01d2bed86b6ce3
SHA2561096addccdd407931c5118288ec28b4754fcae4f4efe04fa6ee0beb09a34548d
SHA512cb6c36379c625abd6a92ea76f848206ae637947659cca6b5a65dd4893f836c2dac4b1c23d415e77890f8f039095c6a00c9d3ba8bfac07ea30d6a84d36e7c44f0
-
Filesize
3KB
MD50f2785c4e8f576ef87bb470fac2456e7
SHA1e2523185c850f7d3944fe2720f48b4b4c8eb03ed
SHA256dfd07c9e7f60838fd9961ca286d618c53e4a0a335556f78b0dc97a44fdb000d5
SHA51230d5cd124a1d5f836081139c4700db0ab9cf4a6381d7a79cc53e3b9168452b0d46961278361f4ca56a5d7d6f68a196b0b6fbae54f6298fe4a891b516ce1c84d0
-
Filesize
3KB
MD55e79525936f0e9a7a08e87619d45f6d1
SHA121b6cf38093d5a6e857cd78d6bb6e733392fd70b
SHA2566b8ec3f8bf53b8f29b4e52aee636c629867c84e11f0a39f4eb89ae989fca0e22
SHA512f7ca2c89a6f06c0628eac0b0092c7e5a3b58f2f59bf13ff3c2e33397f4042fec2ceab5c27fcbe4c82d1b8cbc0e4879a5a648d05d6f8cb9898c53feeb55080ae5
-
Filesize
3KB
MD57314631497fe08b77be4887a82905946
SHA18a2d637ffee44979d99496794e5863ec7fa27547
SHA256fec3a7d6ee15a1b10b6ebe00fd7e24f16a4a72e8a44b313d672b3e25ec0aea43
SHA512f2cc4cf234992286bdb1d3ae8e7b4f994f322f29da37850c176970fffeb1a21ed014f68b4b0b989ce4e14c54897de835ea169b1558f479a99a71e956a4b13b9e
-
Filesize
3KB
MD54173c62a940f41148f5ab54ad50ad216
SHA1bb75d842349c69a6930feabd34df545eaaa407ce
SHA25612cca6349bd39b83c0bd736cc60d4d0411e761f7734ab51e1249561d0291e248
SHA512f5eb28c73ada8b70c6ce6ba1ab173f527c7b2471d939ee76da85d01d9a42a7693f9c2b9d8e320a8da83246ac301419bcd58b67e18ce2bcdbbe5fddb342773f2d
-
Filesize
3KB
MD5f725b71bbad8530836fad32761138e36
SHA1a910d8ba2139c95582d407d2cbc90ffca2e2cdf3
SHA256aeead65703a66be19606cf299763aeb1821566cdefa6eb755b147852a3ed08f7
SHA5128a80cbeec74f14309515e5aaceddc0889bd76d12417b0045373d556dcfc90fca6f1491dc2b8535f9599473f77dc66d252391aead1ea611b4c28732d1a6b24601
-
Filesize
4KB
MD571ccda14162510fc4345c1586ac2e456
SHA1868f4a0f266d35cf4fb6f5c760f4bb0f10b87866
SHA256c6b45effd0647fdf839a750c703655e61e8073fd526f350198f66304128c4f65
SHA5123ae6b05bc2a629e5431c8d06784a796b8464cb4ed6f8ffc391b31412f31ef52c4f52b666eb33aa7b9ff7e2268722771780d46842a5dfcd3939307ea467b10db0
-
Filesize
8KB
MD5438bad635ee5615a7554eb83813b9d0f
SHA1064ce8f465a40e13980efb85894f08cdfdeffddc
SHA256ffacbb235cde4afed9a30fe08baadcbf97e2f88a201b0cfc1e3ac7219d6e64c9
SHA5127d574f44bb6bb71e603040c3e1b1fe927970fdd40daf4d8b5a678082dfbada341bd5a4e639cae088d504bce72efacc375f6ecfe808d02fed53873c22c81611ef
-
Filesize
8KB
MD5eff5fc8396ef305cc0613dffae1f4849
SHA119ef0df74009af12fc09a1fb562e76cd3a8603d4
SHA2563466adebc0e3a34b01bdab11f67f7db2ff57eb6e35568da0a4a0f525ec82717d
SHA512819e5114b52271192ffeebf914d960176ce0d4a2d809aa493391e40770da88b32be844e7982954346e66c96c734f73cd96ab76e98ddfa22b3b544f45690a624f
-
Filesize
10KB
MD5d01ffc2eeb252e5583addeaf99ea3cf1
SHA17e96d9392ddfe5f4660059cbfdaa8b2ca2975563
SHA25646a746c3aa97705b5fc5a2fcf1d80f825b82ad04953e450eb66ab80257d1cbe5
SHA5121f608a008cbe09db88a54606250cc1202874662cdde18e036a0a0ab560e79b59929ba80ffb13ae705b1e641bd804f3925e20df268801ee09797c356c9426beb9
-
Filesize
11KB
MD5ea7440f52af7f9efd674c1f3611d9c50
SHA1ceb4d7182381dabb4b80904e4aeb8d326673c9bf
SHA2568593860d230dce69fdfa28d4925789a839fc7d36d127a1b503424fd9a1d1fb70
SHA5122fb1ea433a2f5a9daa13340f0de3a7edc3193982de602753147cb138d782e084f274ed2cf9d3c1d8876708ecd1fe9da199ae8f07b3b08668ce38c7b2497d6ce8
-
Filesize
8KB
MD58b6099592509c2a516eadaf838dfc7f5
SHA17852537a1ab557a55f69cfc77d672381ea68309a
SHA2560e4518d0c6cbb8e55feb33aa654df8d81d36449b7c06f9e6abd88a7be1d70b33
SHA512d77cf759c3adace78e041fc2222957d4ab59fe6f62eb52b7f6658d593d7ec49cef3d7f5edeaea48ab9024dd04de82840a6b9b0876fbfe045600329e993a0b4ea
-
Filesize
11KB
MD56b105b98871d5aa21d2619fd6f0972a9
SHA112170074df8bde02729ae53d46b88881e6941977
SHA2560a7d7d607b8aad4bb91d3b71e8d8b7c951cef61fecb8778dab375de1f1a9f169
SHA512cdd56a8104eff46b4ac5504fbac74eac2d07b17995d7260e00037c561b8842e199df1c4cc44ad0fc692048a6d0c6e54f028f14d4b266327ee3869c8b4e95fbde
-
Filesize
11KB
MD5e535a9f9bf1532768961aecf7a29376d
SHA1b29461f81b4cc98daab42fb23f2fdfdc5506738e
SHA256099ad78c56981b31dc59f1d67679683ff38bfb7b3e5a35bd1fe6392a11d8ddb3
SHA512074e3099e52f2a1a966f517b21788fb373612f97f6417d37c66c85668d058058009e2196b42bd2a2b37d8091f9ce1131ea665c7f076858b7182fe400aef17f16
-
Filesize
9KB
MD5e281415e407452d0ad27d17282807ef4
SHA144c08850f6c08edf444490b8038182d17fc20594
SHA256727a501181041aa2d809ae2c45ddb8ec1ba38987dc77b1bdc29e6f1eca7af485
SHA5124d13c9c597e31373b010fa881df92a260b4fa92bbdde03b9b6d291c4aab86820f1ca149caa6e1f494e0df62869b7b95e1b1ac68d9c10dd6061894941761edc2a
-
Filesize
11KB
MD50ce883046a75bc0396ec9eede0bf6cc8
SHA19b64804f3de992bdb4ba6c24b3919f492059c864
SHA256502f3734505518298200a2688c5315f7a64b2f922406ce422c84675794cc35b2
SHA5129290ebda1c42e7b4b170ff12adf46f42a01e7ce2397c80097e05deaee06a8c342e8caf44197c9049d3d45535529ed6f906ab474d70cfe99066a34c1ae59868a1
-
Filesize
11KB
MD53afa7dba85356bac8e2370517f214850
SHA1350b2fb7188dd4affdb400f3f6a47312c73271d5
SHA256468bc941b795c8a3a7e57068d50f1420f31d4a0ed21f200ac1d06c7a8d14011b
SHA512a5614ee378c28457ee607b77a9e23a42aa24469d7cd1218477119da86ea1c8476e03c1d7df81c3f99d84264155af35a439457904acfd85a2b696be5d8b50d9a2
-
Filesize
11KB
MD589cac1f9f3db4313fddd7462255e4c94
SHA1786849411afca2f02404bcd3b79a7b116bc0d3d2
SHA256ab64e66e1ca79414e3229a04f7aa43b0e534d08b33819045ff7b4960a1c1974b
SHA51279c32dc6c57a47f621637dcb11ade41ebf84809cf81873c5a087f1691185d4aa2f43d65ab97d28e3b0961ecda89b5d4a6331dc2492cd49ca88c8a29219db7c22
-
Filesize
12KB
MD568bb2d6352d2087066f0ab8508e3adc3
SHA1b1f0342ca59b2670bd951d46920311aa1c9a248f
SHA2569841c50783ea8ee5fbcbb41635c0967beb14357ac9a86e6d1b4e66217e1a16d5
SHA512aea8fcd1dcfbb7651364dd6c02594afec13097c2771ac984965f7f0fe3a3ff9896785100b791ff1455ec969d1bf504c9688ff18aac758d51971d7f5d9185ce2a
-
Filesize
11KB
MD541048ac9ef2dfa9cb971d14980804761
SHA10d42f273ce2c80d7a021b36e25fb04238a7acf5f
SHA25609547f21469b521813a08969efc309bd813313cc0dcfc86f69396055fde238c7
SHA512a13b05d6c5448f88b56204048bbf5e69dc3ac4e72c8c61f2eaa0edbca7c2a5321ebbc38597534a49f436223dc741e4d3bf36d55457393da53d94ed9d037f9d42
-
Filesize
12KB
MD535af6faca0bcbcf58808f73e86179ace
SHA12a956f31d69743265bfd3832625e5dcff2703721
SHA256bf41fbcd7ea7d0a594f675eaa2c1523f33bb8b622daa13687e3c5baef551a0b5
SHA51298ce42ef2f9f81f0997ab604721ecd5639db944e6390469b398f1a00baf32026d9ec1a3f13b4f4a9f80821277ba947c8fa07536bc3886741ef3db7c4d663e0bf
-
Filesize
11KB
MD5108e47c6cf63af505ceaf6059bf6c6c3
SHA1403c573f48eee760a423ae37c9ca53f72f1ff4d8
SHA256511ec4e17f920204cd6bd3b1fea96d1c64dea077bbecebcdc924a3a4919124ed
SHA512a360be48be2413904a2da17577ff33e352e76e57d121dc767c55aa7710a74a32e927586b5694f15728e81be6fccbdcee4687fe5149cede5257dbf9f3f413b877
-
Filesize
12KB
MD5b578534deb58d85fed39c9c752ddfe5f
SHA1a2a13bc6053e017c992d2c3b1bb63e442e9e9001
SHA256b9101fb8a5039195511e1808bf0546d21f3e60ab9ffbd6a55af031760f738a57
SHA5124d9b9605b2e7473b2fcf7452b3838984cadae21bd2fe383191076087d54fd3f1f4c73bf7b76d4146e40d88c2eac119e14a6108b7ffb37070beae14bbbbe5c828
-
Filesize
11KB
MD5770da06517c94a60fa2b69ba52377090
SHA1ecf3671f94c189d0945255966e8bb31335ecde72
SHA25615c885f67e48f4c7da1a1bee477ee04668088c84953709486a3f016f91248aee
SHA512d66a55e4c98c7a7f5ffa6751b9a24c00bd8dd34b04eb796102021d79ae981255d8d4c933e9d3668e5adf3f41df88a3a7067ac6875b4427c1e4b97d676cb04bfe
-
Filesize
11KB
MD5fbf7b43f1ce4b533b593d27e7277d067
SHA1358984f030bcde6369027c6f53efce7978b6f1d0
SHA256d0aac46d65ee02c769cb1ef8846c41ea83fb925efd55095f5c3fc7636b28f777
SHA51244c94f8968e10bcdde9989ba1a7f5676a59c9e391eaa0579e0b387a3fa2bbd3811952363c9141de562682839359fb6c2be4b8a61d1599bb4251c513c097053b9
-
Filesize
11KB
MD5cdcfc5de1969f943e9f40595aa4dda53
SHA16b05daf3a3c7cc6b9aaec0ae1877f8b2853c95ff
SHA256142d1b252ab2b673ec1ac7bdca18a32ec165eeaaec161c4b5971050630ae9385
SHA512dba111e6b695bf91b77d6975ec40a63d765496f29b1fcc9f10a0ee6fc252f7cf16c4008a5ce39b9b8d19a1e824183a672d6bc8c66cd54db4b6be312b6bc0adb1
-
Filesize
12KB
MD50e3167285c13c2ff27501be02fcd939b
SHA1505ff265c7486ccf74af659074451735bcf7ebc5
SHA25693a7746df028dadaedb69e6ad832459e1fd39662151bee1acc543b724dda75f0
SHA512606adaed152c9565e9a227a545b87b76079ccd35c423c9d3791d5c4ed0a0b5c170d313a4b453324fcf8352f4c690b92ac63e0601cc6349c882e82fd451552172
-
Filesize
15KB
MD5abb9ffc7c395b1f125c382891cb00c4b
SHA1324d7cc8afc764b98ed5114d38a83324a50a08cf
SHA25629c42ce8a8f4fef96790c9ba8645f4d54b9ec9e964457de2cf07c7f781db5753
SHA5123ab4f18fe51830948bd097fa1f0700dfd74ed352f653913587bdd5aaf61b885c5a388c8e0c84e0f221b978eb0ce1671b8720f2d274648e3eff445c2e17e0ba6f
-
Filesize
333B
MD5d5d84aac80aeb3a846cd7ccff49adee2
SHA1b8d276d8489b2c3da5ea639ceaf9df43a20733a1
SHA2560a56e2ff6d07091b053e90c43ab8d17dc62892f8d7fe867de92bf00d656fd508
SHA512a743fe8ad960c8f5ef6649e952834748262409c7b39e28fe93312e28f9b2a815723c50573b72a0cb59b699cb1d347c85c3f10d844dc050db61e21d6477472ece
-
Filesize
324B
MD5c2d12e67388e1881e61079f4ca7c5861
SHA1d32acf07bdf8ec5ec8efd7dcde0f006a4bb36e18
SHA25636251c4c0d5cad7146fa886a64f12588e0a8b5471cbda2f00d5e21df488c84f8
SHA5124efdd08b74745ba6abe0c4e3f9d160f1980f1ce6ed78391ea74fab58423e412545007907cdc4500e5ae51a74a3ad81da40781f0daff7217b55949ce2e4c0320b
-
Filesize
76B
MD5a7a2f6dbe4e14a9267f786d0d5e06097
SHA15513aebb0bda58551acacbfc338d903316851a7b
SHA256dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc
SHA512aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe5e103a.TMP
Filesize140B
MD5d2ff2ceb93004e0c7a8ff6a18078e77f
SHA1b83e190c009219aa2db4588ad589f870fed5c56a
SHA256fcc19382d2fe254237d007eff493add9524b54dffb759bea588f85a3744bc807
SHA51291f310e9f5a4f73868520d41ab246064d3c44c7c40273ae37c51756d37cdc23dc0be489acdb325e6355fbf86a759c74aa795df21ccad7b297ebd38c50654a8ed
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cd56b9cc-6c28-4c76-9be2-8a533738adf9.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
14B
MD5ef48733031b712ca7027624fff3ab208
SHA1da4f3812e6afc4b90d2185f4709dfbb6b47714fa
SHA256c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99
SHA512ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029
-
Filesize
228KB
MD5b3ada80364a89706041e5b9c954212e8
SHA1f5f0145281791d5d33cc8d5096dc52e7e38ea31a
SHA256af053d04f61ff66922be217e452dc502a2b597365aa2531cfb98714825492e09
SHA51271f7caa432eac3d49a691f6f0a7b24c283c6343bf3c95d6751abd5abd45ac6f06d105c88cc1f720bed56efa61e3e3f2c9f6bf44af78c1cfee15aef289a5c9f54
-
Filesize
228KB
MD5697eb0647d89709fee9aaa6fe70b2c43
SHA1e7393053b7e966878bbfa5cfb3a5837e09075fec
SHA256a090f2abdc753e58da164f2c4536b676394c479900755a82d2a094e66935581e
SHA512908f505817b9ddb320dc0ddf4a9de35df2ccf122d701d8b592759793b4d21ecb2ecfac9948be821c924e158ca6e54b887945c269f1b9d87bae54cfed0b69dfce
-
Filesize
228KB
MD5e1160f8f99c7e87470d70c67dd163055
SHA13683d9ea10dbbd15b880a21419c2b37a3dcff3e9
SHA256d7b98baeb860453cdee56d6c547af17f5b0d3831bc5b627e1498a526570a647f
SHA512acea723f341e86ce6370b18d98f9f51dc260bc453fdcfb54ba5a1f9246c1dbefd9cc7a1d1ab7ab2436a4c843135a45da1aeb72e98d143f7a72edce873f38cffe
-
Filesize
116KB
MD57f5f4b3c97a1c717f9815775ace8472b
SHA1f40b7e28c64a21d6f81a4a461145f4a76d569c8c
SHA256257289d8e4ad966ad7d9bb73954c74c488a82394fd87ad94f05ce4bd151a639c
SHA512f6266be191a47e5a04d69b5f2ecb1cf62de6fff5382068c4a98d27d777ea8d59d4dcc5479dadabd5c567034e416f3e54ab9f770f428eed3ead60fa9bac0f975f
-
Filesize
116KB
MD58989b1315b5317cb720073db6c0b31b6
SHA1c536145ca1bd9b40c12ba3eb5ab6b6ee7846086c
SHA2560a4b410e8032ff72b2a2613207ae634719e64e3958df58f8357ff85d01934983
SHA5125c75c25166aba412c9af532ac3ddbb9e49919fb8f65701bf183365242251dda01260037263f1a06f4195690cb9f10543110c005a2d637e247d997d499bb7cb2d
-
Filesize
228KB
MD5f3d2d701426feb1a36c3f627acf84887
SHA13eb4e9f9e98620314d49697a3055482e92508067
SHA256041cffe056846373fe844d6cef738d0ea567abbac647a86aa6a269ae69eeaa22
SHA5120f5c23a0d58130ca17d66f2dd00524f195d8007aa5fbda5888df57628899b5ab1551c2b8106ca471819af11a48518b702b538a41f01ba67f67d455e5128b4362
-
Filesize
228KB
MD52767d73c57e161478100890e0b0ee9a9
SHA1708ed99abcb924a967bafc24371dd6cfe26b7bdd
SHA256c8781fcc2152f57cc708271dfc61d8169075ab6a148214b51f677aeeda421b1a
SHA5121b31bd964dd4d1d2930c98cef9afd1bbf7a011c3bbbf01611dd9dce993fbd4f1b330f4bde01dd60e188c2d6d8faab189683bd64a18dc8e5c97e696dffc9ac7fa
-
Filesize
116KB
MD5e334defec6cb486b296cc21524db5599
SHA113a56d55581bdcdba500d1e19c8f82620c7e561b
SHA256a0d25924f15cb0121da24c2704fe6935d1845f45715e049375db0afc1d66bfa8
SHA512bf3b60926c7936b570485a2201accbac56cf431e708560bb220cb31f44f2f9ab583eeda7a83ae9a6cbf83ad0a3baed4768f6e51490e3e9c46b2f1617ec0cfa82
-
Filesize
116KB
MD572041a02f842b2f90a20eb66a3fcbf3e
SHA16be3c488be63b96458663c78e2405cb15f9501c3
SHA25687e408952ae33e5f196e05a530ba89ac4fe362314a5f3d49ccdd3b29b43ed5f9
SHA5127d3180c56e0edb999f81c4ed09260d5dc001f0bde0c821eb7653e4eac66f50e04f9f10eb04982e82b78512cdbbe55123cdaf4d2ac0320237d40ed4546e091799
-
Filesize
264KB
MD51097e2f88f4ae8c6ac097e7daa9c4f42
SHA192fd6b2954e800c70ecd8fe098fc896c59023240
SHA25644defae57bbbeba1872a2f4a95477b20f9b5b4a2b8da9696b5f22978fdbc5a71
SHA5127862cf605cdb1f0abfb92db1b167b4f4c7e1b5ecac35538a2c279a3ad11883c313bf0a5ccc8da4d2c36e4e4729650bdf40374c1a379501027666465c7ffc4db1
-
Filesize
85B
MD5bc6142469cd7dadf107be9ad87ea4753
SHA172a9aa05003fab742b0e4dc4c5d9eda6b9f7565c
SHA256b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557
SHA51247d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182
-
Filesize
40KB
MD514651e319afea0e413ee23cf82d58bcd
SHA15babcd90792dc54e869c23ac01a6fca50ccbc0f4
SHA2560f63dfd04d7944d5cd8e2385db9958b1eb8319cd0bf0dd16b51d5fd196e9c654
SHA51245a62eb6e813beaec0a7533ee9e500fe37ab77486058660f0773aeac73d2f5536bd7f01ea56ba399b51c132f29eebc9648be8f969d155246375a9938e0a694f4
-
Filesize
24KB
MD571c1634b22761bde37131d000d674510
SHA1eceb2032afe89c845f7c0aa72c907773503de5e7
SHA2561f82a6cbe850bc355ba8eb9ebda7c733866781bc73f3357935f7fcafd6a601d4
SHA5129191862b4b34ffd6ea865fa9bc51c26189cd7a9227d22494197a72472052209f138b9b84765fe23ff313aa64181f5085c61874c66652822ff0b2e9f5619ea359
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\00d68ff8-8d65-4dee-9874-8865899b3cc4.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
9.1MB
MD5de40920ceb6061d4a5b62fd03a9438c5
SHA1eb3d3f46aad57e868b9d4b2c07d24410bfd2ca85
SHA256959e47ec654acce16b8df4466da97f8479d65b9a69a2c3603c3cb6856ceaecc0
SHA512fa0ea73440e794092045fdada16fb702ae7e5962a09d2fa62d7873a1c211c9b55037cb34c15477cdaf6052a0d7443ce413cebe35e4785032718666246af712f6
-
Filesize
315B
MD57a0d3d6a047b2326bebbf5f2a84800a1
SHA158eb0d21405c813b250fec5491a80ee46edfc70e
SHA25686eeda0fd648a14712241ab0e1cbbf3aad703dbba90d9c272861399c614c01b9
SHA51207f9b6a4c2a9d64b25e4a3cf3d24d004ec09189d62f0cc64fdafb06889fa9078624cdc17d08a5f0d10efb648d9b93088fa51b184719a22158a7d4cce90387485
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
47KB
MD54cfff8dc30d353cd3d215fd3a5dbac24
SHA10f4f73f0dddc75f3506e026ef53c45c6fafbc87e
SHA2560c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856
SHA5129d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139
-
Filesize
248KB
MD5b24e872bd8f92295273197602aac8352
SHA12a9b0ebe62e21e9993aa5bfaaade14d2dda3b291
SHA25641031efc4f7e322dc5ffacc94b9296fb28b9b922b1ce3b3da13bf659a5fd2985
SHA512f08ac681abc4e0f6d7a1d1f2303169004e67c880f9353c0ed11dfab3eb511ddf841fa056f4090da8201c822c66ae55419c48cd87f11b9866feb46a3fe2c2af99
-
Filesize
248KB
MD59cc8a637a7de5c9c101a3047c7fbbb33
SHA15e7b92e7ed3ca15d31a48ebe0297539368fff15c
SHA2568c5c80bbc6b0fdb367eab1253517d8b156c85545a2d37d1ee4b78f3041d9b5db
SHA512cf60556817dba2d7a39b72018f619b0dbea36fb227526943046b67d1ae501a96c838d6d5e3da64618592ac1e2fa14d4440baa91618aa66256f99ea2100a427b4
-
Filesize
2.0MB
MD53037e3d5409fb6a697f12addb01ba99b
SHA15d80d1c9811bdf8a6ce8751061e21f4af532f036
SHA256a860bd74595430802f4e2e7ad8fd1d31d3da3b0c9faf17ad4641035181a5ce9e
SHA51280a78a5d18afc83ba96264638820d9eed3dae9c7fc596312ac56f7e0ba97976647f27bd86ea586524b16176280bd26daed64a3d126c3454a191b0adc2bc4e35d
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
1.5MB
MD50330d0bd7341a9afe5b6d161b1ff4aa1
SHA186918e72f2e43c9c664c246e62b41452d662fbf3
SHA25667cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b
SHA512850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1
-
Filesize
3.8MB
MD546c17c999744470b689331f41eab7df1
SHA1b8a63127df6a87d333061c622220d6d70ed80f7c
SHA256c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
SHA5124b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6