Analysis
-
max time kernel
382s -
max time network
380s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
04-12-2021 06:45
Static task
static1
Behavioral task
behavioral1
Sample
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.zip
Resource
win7-en-20211104
General
-
Target
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.zip
-
Size
41KB
-
MD5
f57a2e95937e7727c82b0782e1cdd0d0
-
SHA1
570ac30c3c40c62d67ac39e857e840b69908ed16
-
SHA256
e038bb439a412f1c98d22a9a4726fbe0747a8bbbb48a8d26ac4dcb039f29e53e
-
SHA512
be171554a26d962445b8a9238abc6faecd2398dc04305730ef44f03418f20971657254f04887c4dbbca87d0a360077cb9e4666747882ba4bdc82e8d567858647
Malware Config
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
hh.exehh.exehh.exehh.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process 1936 992 hh.exe POWERPNT.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process 1652 992 hh.exe POWERPNT.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process 1988 992 hh.exe POWERPNT.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process 840 992 hh.exe POWERPNT.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exechrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Processes:
WINWORD.EXEiexplore.exeIEXPLORE.EXEhh.exehh.exehh.exehh.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main hh.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main hh.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27015361-54CE-11EC-ACD4-4E5B53581B29} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb601b266500a1439caac4cd216a44ab0000000002000000000010660000000100002000000060325e8babb730c3d0b7b3df1f55d03fdc2e6817b781a2ac2367b556729bdf38000000000e800000000200002000000047b840d62c8a3b30871257ed5aa351b78cac03109e60e7a29a154d2d10f6bd5490000000fe6524cde0271836b108b26c6e17896c5f4dee0482b01f8843ae8b00c08e2fbb3463d9bda2022e05910642a2649d4748ae1722520b55a2b4247390364754538c6e6d993470e1b08b5b24213153871a60fe9ada24688955c0aea434d36ab6fcba930323468d965205a2781bbb169c0c616b362e7b0acb717f7600d1445f487e21c4c91bbdda91c2fe32daf42483ab85c74000000077e01f8277e3352949dee95315d1eb1cc2f6f860d1c53a084e91bff99732ef4d90a64fdce9e9ac648107aebde9f1f2caeec8e7a4902ee33a9d417b5f80c0ccdb iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e061a0fddae8d701 iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main hh.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main hh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb601b266500a1439caac4cd216a44ab0000000002000000000010660000000100002000000080e1187e04afc41b45d8e089064c3164a5348b7c94d30ba516bd377725262973000000000e8000000002000020000000fb5ae77a6c02e6a20bd5477a6aca7c7ff00e12c032dea8ba29c99793aacffb2620000000c01787bf487903fbb31bec6adade55bd68d98cb095c6354bf728d323a61bdfb740000000211ac67d62fe36729eaaef7c948b1a8f5b95cf5648860ba2d83a7a7154bb05ee6888ec34cbf74f127d27ced2123f5c1e867230d73b4dba6161f2cf571d7c680e iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXErundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEPOWERPNT.EXEpid process 1932 WINWORD.EXE 992 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exetaskmgr.exepid process 1940 chrome.exe 756 chrome.exe 756 chrome.exe 2976 chrome.exe 2644 chrome.exe 2348 chrome.exe 2084 chrome.exe 2724 chrome.exe 1300 chrome.exe 2092 chrome.exe 2092 chrome.exe 2412 chrome.exe 2040 chrome.exe 1516 chrome.exe 2092 chrome.exe 2092 chrome.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe 1956 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
AUDIODG.EXEtaskmgr.exedescription pid process Token: 33 1792 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1792 AUDIODG.EXE Token: 33 1792 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1792 AUDIODG.EXE Token: SeDebugPrivilege 1956 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exechrome.exepid process 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exechrome.exepid process 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 756 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe 2092 chrome.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEPOWERPNT.EXEhh.exehh.exehh.exehh.exeiexplore.exeIEXPLORE.EXEpid process 1932 WINWORD.EXE 1932 WINWORD.EXE 992 POWERPNT.EXE 992 POWERPNT.EXE 1936 hh.exe 1936 hh.exe 1988 hh.exe 1988 hh.exe 1652 hh.exe 1652 hh.exe 840 hh.exe 840 hh.exe 2544 iexplore.exe 2544 iexplore.exe 1324 IEXPLORE.EXE 1324 IEXPLORE.EXE 1324 IEXPLORE.EXE 1324 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEPOWERPNT.EXEchrome.exedescription pid process target process PID 1932 wrote to memory of 1716 1932 WINWORD.EXE splwow64.exe PID 1932 wrote to memory of 1716 1932 WINWORD.EXE splwow64.exe PID 1932 wrote to memory of 1716 1932 WINWORD.EXE splwow64.exe PID 1932 wrote to memory of 1716 1932 WINWORD.EXE splwow64.exe PID 992 wrote to memory of 1936 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 1936 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 1936 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 1936 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 1652 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 1652 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 1652 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 1652 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 1988 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 1988 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 1988 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 1988 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 840 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 840 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 840 992 POWERPNT.EXE hh.exe PID 992 wrote to memory of 840 992 POWERPNT.EXE hh.exe PID 756 wrote to memory of 1952 756 chrome.exe chrome.exe PID 756 wrote to memory of 1952 756 chrome.exe chrome.exe PID 756 wrote to memory of 1952 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe PID 756 wrote to memory of 1948 756 chrome.exe chrome.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.zip1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5701⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SelectShow.tmp1⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\UnblockClose.odp"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\hh.exe"C:\Windows\hh.exe" -mapid 183675 "mk:@MSITStore:C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM"2⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\hh.exe"C:\Windows\hh.exe" -mapid 183675 "mk:@MSITStore:C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM"2⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\hh.exe"C:\Windows\hh.exe" -mapid 183675 "mk:@MSITStore:C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM"2⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\hh.exe"C:\Windows\hh.exe" -mapid 183675 "mk:@MSITStore:C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM"2⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\UnblockClose.odp"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5834f50,0x7fef5834f60,0x7fef5834f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1108 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1296 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2664 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3208 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3328 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3424 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3532 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3756 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4156 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3668 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2448 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2088 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2276 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3720 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4208 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3408 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4200 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1628 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=776 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4152 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4272 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4268 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4224 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1092,15289816116552080722,16241037223960729230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3240 /prefetch:82⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5834f50,0x7fef5834f60,0x7fef5834f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1112 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1324 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1844 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2232 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2648 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3328 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3436 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3528 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3648 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3876 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1624 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1120 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1104,13658123969537667562,6258378790003701906,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1408 /prefetch:82⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Fake BSOD.zip\Fake BSOD.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2544 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
07e8de5d994f6b43c4625d69f2a5c366
SHA120efc547df465e576f1a207ce78809ccb046e0d9
SHA2567a4a3890da177f7770ba9c7b0b37b630b1357af84471c9fd727cf34db75ce727
SHA512c81ee863751c18c2ac21a45a0c3e6cfcbdc5f79eae3236690b4e1e354efafbdadbc4e37a26ce365be63224425cdfcc710d87c2c695a68784348bcfea2994331a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\computed_hashes.jsonMD5
90f880064a42b29ccff51fe5425bf1a3
SHA16a3cae3996e9fff653a1ddf731ced32b2be2acbf
SHA256965203d541e442c107dbc6d5b395168123d0397559774beae4e5b9abc44ef268
SHA512d9cbfcd865356f19a57954f8fd952caf3d31b354112766c41892d1ef40bd2533682d4ec3f4da0e59a5397364f67a484b45091ba94e6c69ed18ab681403dfd3f3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\verified_contents.jsonMD5
0834821960cb5c6e9d477aef649cb2e4
SHA17d25f027d7cee9e94e9cbdee1f9220c8d20a1588
SHA25652a24fa2fb3bcb18d9d8571ae385c4a830ff98ce4c18384d40a84ea7f6ba7f69
SHA5129aeafc3ece295678242d81d71804e370900a6d4c6a618c5a81cacd869b84346feac92189e01718a7bb5c8226e9be88b063d2ece7cb0c84f17bb1af3c5b1a3fc4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8921.104.0.3_0\_metadata\verified_contents.jsonMD5
8e11336217e78dcf7bca9a9771b031c9
SHA1e90e58888d2f94b804dc46daa29cc983f88528bf
SHA25617a39b8542333edbd1dbae53857c1e140f6421565d00515d4eeaf31978073f87
SHA512e3cd3dc6cef3d940c60cf7d9ddc0c2eba07de077e3607a4c1b9876a1af6446ed6681c3598c131e510e646d737f5401049207335fd5c7e9e1c8feeba592912a57
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\FaviconsMD5
16344e3e89d6b06da99251baa8fb39f8
SHA1debf7b87efa02808beeb94b62c80e6b5030b08ab
SHA256e52ac012cebcc700605273db37ff431b7bc0c0adb9e5a33f870594f764d53037
SHA512955709849c9591c44a859f7d17bfc44e5c52d34bb8127949a3715b0638558695f0ea5ea5d7f28944e486b4b392871adcf4de73bc41757f523b72a8457022de64
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\HistoryMD5
b65705d1687a53b6ab48132d4e4b3132
SHA1cc975c2b224e72caaffbf53524f8e29ec6eb990d
SHA2564e350319e102980c299b54d16fa1dc0216fda36b0445532fe871c04f9037e3d0
SHA5120c2d61a9b10c8438fa4f51a387a121f37964f7da0eea3aaf744a5f663852a186d3e9c9726092d82ff4dc5b81f97b2f6e64f26aa360ea8459f479f18225ea5c2e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountMD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesMD5
6a5adb6886fbff0890810e11f345299c
SHA166aa05e94e987f47fe96fa817e7588db5b2ed677
SHA256feb7b22df2247eaf0690e51362ecadd3bab0dfa48bd4a707b4e498fd673c5c8c
SHA5127e298f3ce0d00f7031192cbf86aafe892e0f5b5a0a3d4a79b866512baeb5aa93037e72907a7b1938ae609c8c98ce556681da0748aab4e2af9e7f989a874a8502
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesMD5
ed633f0f3be26ad2dd581c463b721ddb
SHA11bafa4ddf52330af3cdfcfadacf91a0e65e2ed3a
SHA25631d83db7bc61cc258a591f4d62dad3bd08e2ddcc09287df68b4ea341e3be25c6
SHA512d2500c8cc7b322fe4c3818ab7220d8f9e2b55b27e94199d1226f0eed00f851f328c690ab78cf1c6245713e34e97f9013e0a1b92c03a0abb51a721560a0ac6619
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13283073876386321MD5
03b3fa113a25e38d014cb39272909093
SHA1f9c7aaced23a067f4f53a8b4d9ea28d25824ccb4
SHA256a6a35265e91812e0cd82fc454dc086573f983a9712f23fa3b3acbd3d59194cbb
SHA51273d3a0c2ac416a43639dc4539940edb61021267ce529f6d8ace61ae14ac59d3cf2d7beda8a31947c339db550f312525065fdac14f57fa171f596dbb27320541d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.logMD5
4964476dc82e5691157b3e35069a1fdc
SHA1c545f06673caeefe53143560cc10db192960596f
SHA2566f80e2c239fa2bff64930246f96b700c734dc127b69e84dc629f463f464d3c0e
SHA51221bfd0f73cebbb340f43d2eb657e8866c43c68d769dc822d53c2aadd3f9425167f789777aee6902dd041bf8c7cb2a75c3352adc3b42453351d28a583ec9f6fae
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOGMD5
df70a7e78df25bc4f4b226083b32bbe3
SHA159430d9a0e0b5c145d877da9cb89ceef2141fcab
SHA2563c72514ebca493df0fb15bfcc5ad0e2f13267d20f2ad515452919cc20cc3e15d
SHA512576d9d23c26b78528f16586bf4a3a8383f998d43f7e2a121860664ddb1d66c6f227340628037a4a4b5399b4b73a897f0205fab6800042c1f0348bdf0fb941e9f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.logMD5
de92ad90be6d3364745b2f73f4c3cf73
SHA19158681463bd30e5af4dda4baac81f93cedbda77
SHA2560025a3e0d3b834401b3b5f820e1991ef7e810d9a4b8b6b579e6301c94e7031a0
SHA5129e81cefc195439439f4b23ee7696309d7bc3c08e5b444d2abde26d2f12b2d3bcfd124fb9a2d40c6389e9f787741676fad366a2e9982674e7b931028c014d8a79
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOGMD5
2aaa73c90846d89a56bd337638937073
SHA1c586cd863f0f4db29828ea32776d1152ed7b151d
SHA25607637599eabb4767ff825a6311c1de70c63e1d5d1ca9f835414f478467065c8f
SHA5124c20840b8b2605602965b51f451e9b0b775b91f3be421fe9fdde4ae6121e3d391b0bf26050907ef35e193af2c2ce37fa00e079e3b25c98acb8c8d9537be7522c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited LinksMD5
9c3a577773281b0b8658f3d2f79f632b
SHA10bebc9cddb1f225e5208987d580fd4e891da9406
SHA256db03bcb33b950fbaa5507a9570603d7f387dbbecef3a7d617f732e679f7ac4e4
SHA51203036e09a6e567bb2af49fc152a26b6f93fff3fd305ed0afab738b90842f339c2623d2c170e82469bf2ce832efdd299ed65910506d34b3572f2b3aa53ce40b88
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Floc\1.0.6\manifest.fingerprintMD5
aa9b8b29e3d553eb48973a7ff3d5fea5
SHA1d8f0a1d39c59b4c45406e1481910992f7c23192b
SHA25660d8dd0ecef5bc2e653e1ce906d4baf07d56491b39b29f051f414288a84720c3
SHA512a73f7a352ce648bf40eeeb27e3ab3e6fcbf54e7dce7f5bcd656205b7dbcf00e5a1a1e48b375ea82d4ce7cd7416142e04c22d346566cbf9c661c29377784c6e0e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Floc\1.0.6\manifest.jsonMD5
441350f2f2f1f5726a84e989f3f9bf91
SHA1c9530224671f181ae8ed47dba82741b8ad920ea9
SHA2563640148f4eadb7d60185671799c27a8c530295076af9179705eaa6d4c544d627
SHA5125ac785e7f3a35035b4958b2ef33534ab6e0448cdc5a5a881911123545930daaff6759ab2ab663327525a496e306cc1c98fd5f0ee079e2c6d92c47fd0cfab51de
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last VersionMD5
b63048c4e7e52c52053d25da30d9c5ab
SHA1679a44d402f5ec24605719e06459f5a707989187
SHA256389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1
SHA512e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateMD5
1eff4c3159127bde2688ff5e07827e47
SHA12d3e9bbfec3d63a9c5686af41e1e6dc0aaa5eaa3
SHA2565f6e276fad5868add0081f1ad401ea06d0fb96aa68ab2291501a40766a571cf7
SHA512edd12d56e71d7ce61a17c3f42493bf35fdd231213761891c673ef325f062be1e7ed06d340470e632b4217c77710b785e3e3f99e26b4fe0ff32fe3dcb46671457
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1MD5
c8253ece93d04a4f01868af5bf6cce01
SHA19288d680be0853a246b89b0c3580aa47dae6f2d8
SHA25639f965145d0610c3098cd2803eded11456515f9e738606bd566684b2423fa68f
SHA5123f6970e87fb0303f2c72f646ef1ae90c7f50d3016b20a4f84ac9a728eb8b992fb85ec5e6e142b9690b40678047997a8f464525cc2d4b7e3f0685411e64eb5a8e
-
C:\Users\Admin\AppData\Local\Temp\18437F3.tmpMD5
8280963454d17e0527c8f6e968251757
SHA1faf433103459114652142b51290376275ffb14f3
SHA25619379476b8b7f3ead4db945110cfc60c47a10710a080df9da6696be003631dd8
SHA5120bc1c6c02c5f26f7b232be2f47e5fe8e381851800ddec9cc9a8390b27421c84abc5c277a618a607aa86ac3f45b8941c6018ab2d199869eb1df911d0cc8bf2019
-
C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.datMD5
82f8cfdb8312ee54c1491cb5e96bab4d
SHA1a7abae600d8ba5909cabae304da80435a7cb64bf
SHA256c42da6502cad4e10c1049c97faebce24301404c578bde453a95d190f192a63ff
SHA512ecc77ae0b0f0ea42a49fd6cb4d8b60c9a237f0d82e40e5d21561c9eab022ddd28b2489164234c58621558734b7f8b5a0af3c275e68c36f1c2de5064fb09274d2
-
C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.datMD5
e6bd0c6315f01342529538549b2ea34a
SHA13b98966ea516b5a166588fd41986792ee8c2b8eb
SHA256a4d7fdbb2602dd29782f155cd14ff45a604c13516b5e14b1349c99297e44a8a2
SHA51235903dd575f6870915ef5b9009ef59ece45ae6f3260d902acce7e67972413d3c5734c0a3571dc78dcedda172175da25d671ad87d46da712b1c960442427a1be4
-
C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.datMD5
53f30c5356e5483e6b9975e8d1a7cc34
SHA1872e77814d5990444d1638b0a75b3cb3bcf566a2
SHA2560b98094c429e8c4669b45fb5856adcec740196f7e94ba583127832d25b39b454
SHA51211c0078b8c9581981cdf33ad427ba7425a4465bece313e5bf125ed397fe9f172acd24bfce560c86d6589ea9db71f42ae070bbcb5e38d59172cd9ce5afb997dc6
-
C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.datMD5
73c556c962e54b9ea9d9f4c7b4bdd510
SHA1aac77a6ca42a5691add6c289937246cdeeb28db0
SHA2568c3cebed35653239b78b6ce1c9725877a5010bf4551755a4e7fde59b1e783713
SHA51284e1bc6133aefbd76e0c7d8db1c8195f461a7db04ff7274e0a72d36ee7ea516ac404a652a4f6f766fb761e12c76c41b594b690a1c2af2e959b13d2730ddbb5a0
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_2092_QOJRRAYPFFSYQFBBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_756_PGCXJWPRPCQJUFBSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/364-55-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmpFilesize
8KB
-
memory/840-77-0x0000000000000000-mapping.dmp
-
memory/992-68-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/992-66-0x0000000070EE1000-0x0000000070EE3000-memory.dmpFilesize
8KB
-
memory/992-64-0x0000000073D11000-0x0000000073D15000-memory.dmpFilesize
16KB
-
memory/1324-108-0x0000000000000000-mapping.dmp
-
memory/1652-72-0x0000000000000000-mapping.dmp
-
memory/1716-60-0x0000000000000000-mapping.dmp
-
memory/1932-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1932-59-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/1932-58-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1932-57-0x000000006FC61000-0x000000006FC63000-memory.dmpFilesize
8KB
-
memory/1932-56-0x00000000721E1000-0x00000000721E4000-memory.dmpFilesize
12KB
-
memory/1936-71-0x0000000000000000-mapping.dmp
-
memory/1988-74-0x0000000000000000-mapping.dmp