2e80059a92e23f07ece25cd25f4e855cb01c8623a5ca9d8d63756c2273368563

max time kernel
325s
max time network
1761s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09/10/2022, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fucker script.exe
Size

104KB
MD5

db0655efbe0dbdef1df06207f5cb5b5b
SHA1

a8d48d5c0042ce359178d018c0873e8a7c2f27e8
SHA256

52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56
SHA512

5adc8463c3e148a66f8afdeefc31f2b3ffeb12b7641584d1d24306b0898da60a8b9b948bb4f9b7d693185f2daa9bd9437b3b84cebc0eabfa84dfcef6938e1704
SSDEEP

1536:m5iT3FccnYWkyjWpOku3yUyJCbyVAvy7+fRo:3LOcxkyjW3wvHq

Score

8^/10

collection persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\d:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Docked = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4EB95E11-47F8-11ED-BF3D-D6AAFEFD221A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 603c0d3b05dcd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom\ZoomFactor = "100000"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Docked = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5436B3B0-47F8-11ED-BF3D-D6AAFEFD221A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D453BC0-47F8-11ED-BF3D-D6AAFEFD221A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "267"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395168194"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Docked = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "266"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395168194"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "269"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000ddc5a00735ceff674cd7a45b7e1422893e6b84cfd3cf62f200d90b61ab2efb87000000000e80000000020000200000001fe5d851d6ba83eabbf355d96326fa7653f890d7411ff0cb5a0e267013f04b0220000000cc09ed528628b5ed74cfa3ecdecda4c0565666946dad1bca5c90391d3cd73fd94000000041080d1b2a9c9bed152562e25cbdc28ec7b417af752ba9f1402458d1eaa1189db4d7b745d820e289d5ccc7e4e05298be24013fc9d28821817e32c8c6964fef65	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0a2955b05dcd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{834D8A44-0974-4ED6-866E-F203D80B3810}\FFlags = "1092616209"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{631958A6-AD0F-4035-A745-28AC066DC6ED}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{834D8A44-0974-4ED6-866E-F203D80B3810}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "375"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000010000000200000000000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = 00000000ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "675"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 9e0000001a00eebbfe23000010002f921e494356f44aa7eb4e7a138d817400002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbea65819630fad3540a74528ac066dc6ed8207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{631958A6-AD0F-4035-A745-28AC066DC6ED}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 52003100000000000c55237b1020526f616d696e67003c0008000400efbe0c55cb700c55237b2a000000ee01000000000200000000000000000000000000000052006f0061006d0069006e006700000016000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "8"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0 = 5e003100000000000c55d070100057494e444f577e310000460008000400efbe0c55d0700c55d0702a000000393e0000000002000000000000000000000000000000570069006e0064006f007700730020004c00690076006500000018000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{631958A6-AD0F-4035-A745-28AC066DC6ED}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{631958A6-AD0F-4035-A745-28AC066DC6ED}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{834D8A44-0974-4ED6-866E-F203D80B3810}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{834D8A44-0974-4ED6-866E-F203D80B3810}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000020000000000000003000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000010000000300000002000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "75"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 52003100000000000c55cb70122041707044617461003c0008000400efbe0c55cb700c55cb702a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe

Suspicious behavior: AddClipboardFormatListener 60 IoCs

pid	Process
1292	OUTLOOK.EXE
2108	vlc.exe
2388	vlc.exe
2472	vlc.exe
2636	vlc.exe
2728	vlc.exe
3552	vlc.exe
3856	vlc.exe
4048	vlc.exe
3296	vlc.exe
3416	vlc.exe
3528	vlc.exe
4220	vlc.exe
4460	vlc.exe
4568	vlc.exe
4576	vlc.exe
4868	vlc.exe
4920	vlc.exe
5092	vlc.exe
4160	vlc.exe
1608	vlc.exe
4736	vlc.exe
5348	vlc.exe
5204	vlc.exe
5244	vlc.exe
4500	vlc.exe
6308	vlc.exe
6512	vlc.exe
6652	vlc.exe
6800	vlc.exe
6880	vlc.exe
7132	vlc.exe
6216	vlc.exe
6812	vlc.exe
6256	vlc.exe
2268	vlc.exe
6856	vlc.exe
1700	vlc.exe
4556	vlc.exe
2904	vlc.exe
7764	vlc.exe
8080	vlc.exe
7872	vlc.exe
8660	vlc.exe
8856	vlc.exe
9148	vlc.exe
8264	vlc.exe
8400	vlc.exe
9136	vlc.exe
7116	vlc.exe
9476	vlc.exe
9664	vlc.exe
9748	vlc.exe
9828	vlc.exe
6624	vlc.exe
5940	vlc.exe
7184	vlc.exe
7956	vlc.exe
5316	vlc.exe
10340	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
912	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 64 IoCs

pid	Process
2108	vlc.exe
2472	vlc.exe
2388	vlc.exe
2636	vlc.exe
2728	vlc.exe
3552	vlc.exe
3856	vlc.exe
4048	vlc.exe
3296	vlc.exe
3416	vlc.exe
3528	vlc.exe
4220	vlc.exe
4460	vlc.exe
4568	vlc.exe
4576	vlc.exe
4868	vlc.exe
4920	vlc.exe
4160	vlc.exe
5092	vlc.exe
4736	vlc.exe
1608	vlc.exe
5348	vlc.exe
5204	vlc.exe
1764	iexplore.exe
5244	vlc.exe
4500	vlc.exe
6308	vlc.exe
6512	vlc.exe
6652	vlc.exe
6800	vlc.exe
7132	vlc.exe
6880	vlc.exe
6216	vlc.exe
6256	vlc.exe
6812	vlc.exe
2268	vlc.exe
6856	vlc.exe
4192	explorer.exe
1700	vlc.exe
2904	vlc.exe
4556	vlc.exe
7764	vlc.exe
5208	rundll32.exe
8080	vlc.exe
7872	vlc.exe
8856	vlc.exe
8660	vlc.exe
9148	vlc.exe
8264	vlc.exe
8400	vlc.exe
5716	msdt.exe
9136	vlc.exe
7116	vlc.exe
9476	vlc.exe
9664	vlc.exe
9828	vlc.exe
9748	vlc.exe
9808	explorer.exe
8848	explorer.exe
6624	vlc.exe
5940	vlc.exe
5316	vlc.exe
7956	vlc.exe
7184	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5508	helppane.exe
Token: 33	5628	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5628	AUDIODG.EXE
Token: 33	5628	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5628	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	5508	helppane.exe
Token: SeTakeOwnershipPrivilege	5508	helppane.exe
Token: SeTakeOwnershipPrivilege	5508	helppane.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe
Token: SeShutdownPrivilege	4192	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
2472	vlc.exe
2108	vlc.exe
2388	vlc.exe
2636	vlc.exe
2728	vlc.exe
2472	vlc.exe
2108	vlc.exe
2388	vlc.exe
2636	vlc.exe
2728	vlc.exe
1764	iexplore.exe
1236	iexplore.exe
2728	vlc.exe
2472	vlc.exe
2388	vlc.exe
2108	vlc.exe
2636	vlc.exe
2816	iexplore.exe
1764	iexplore.exe
3552	vlc.exe
3552	vlc.exe
3552	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
2472	vlc.exe
2108	vlc.exe
2388	vlc.exe
2636	vlc.exe
2728	vlc.exe
2472	vlc.exe
2108	vlc.exe
2388	vlc.exe
2636	vlc.exe
2728	vlc.exe
3552	vlc.exe
3552	vlc.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
1564	chrome.exe
3856	vlc.exe
3856	vlc.exe
4048	vlc.exe
4048	vlc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1236	iexplore.exe
1236	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1292	OUTLOOK.EXE
2108	vlc.exe
2388	vlc.exe
2472	vlc.exe
2636	vlc.exe
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
2728	vlc.exe
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
1344	IEXPLORE.EXE
1344	IEXPLORE.EXE
2816	iexplore.exe
2816	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
1764	iexplore.exe
3552	vlc.exe
3264	IEXPLORE.EXE
3264	IEXPLORE.EXE
3272	IEXPLORE.EXE
3272	IEXPLORE.EXE
3304	IEXPLORE.EXE
3304	IEXPLORE.EXE
3856	vlc.exe
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
4048	vlc.exe
3296	vlc.exe
3416	vlc.exe
3528	vlc.exe
1764	iexplore.exe
1764	iexplore.exe
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
4220	vlc.exe
4460	vlc.exe
4568	vlc.exe
4576	vlc.exe
1764	iexplore.exe
1764	iexplore.exe
3272	IEXPLORE.EXE
3272	IEXPLORE.EXE
4868	vlc.exe
4920	vlc.exe
4160	vlc.exe
5092	vlc.exe
1764	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2044	1564	chrome.exe	33
PID 1564 wrote to memory of 2044	1564	chrome.exe	33
PID 1564 wrote to memory of 2044	1564	chrome.exe	33
PID 1236 wrote to memory of 1344	1236	iexplore.exe	35
PID 1236 wrote to memory of 1344	1236	iexplore.exe	35
PID 1236 wrote to memory of 1344	1236	iexplore.exe	35
PID 1236 wrote to memory of 1344	1236	iexplore.exe	35
PID 1764 wrote to memory of 1256	1764	iexplore.exe	36
PID 1764 wrote to memory of 1256	1764	iexplore.exe	36
PID 1764 wrote to memory of 1256	1764	iexplore.exe	36
PID 1764 wrote to memory of 1256	1764	iexplore.exe	36
PID 592 wrote to memory of 1924	592	wmplayer.exe	38
PID 592 wrote to memory of 1924	592	wmplayer.exe	38
PID 592 wrote to memory of 1924	592	wmplayer.exe	38
PID 592 wrote to memory of 1924	592	wmplayer.exe	38
PID 592 wrote to memory of 1924	592	wmplayer.exe	38
PID 592 wrote to memory of 1924	592	wmplayer.exe	38
PID 592 wrote to memory of 1924	592	wmplayer.exe	38
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 1980	1564	chrome.exe	39
PID 1564 wrote to memory of 912	1564	chrome.exe	40
PID 1564 wrote to memory of 912	1564	chrome.exe	40
PID 1564 wrote to memory of 912	1564	chrome.exe	40
PID 1564 wrote to memory of 1560	1564	chrome.exe	41
PID 1564 wrote to memory of 1560	1564	chrome.exe	41

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Users\Admin\AppData\Local\Temp\fucker script.exe
"C:\Users\Admin\AppData\Local\Temp\fucker script.exe"
1⤵
PID:1076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1236 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1256
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:472068 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2576
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:1913860 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3304
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:5780482 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3272
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:5452802 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3264
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:2896918 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:5652
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1764 CREDAT:1586312 /prefetch:2
  2⤵
  PID:8828
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8649 WinX:378 WinY:33 IEFrame:0000000000041656
  2⤵
  PID:2124
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:74185 WinX:378 WinY:33 IEFrame:0000000000041656
  2⤵
  - Modifies Internet Explorer settings
  PID:8980
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -ResetDestinationList
    3⤵
    PID:9816
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:74185 WinX:378 WinY:33 IEFrame:0000000000041656
  2⤵
  - Modifies Internet Explorer settings
  PID:8976
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -ResetDestinationList
    3⤵
    PID:9224
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1764 CREDAT:1455302 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:7592
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1764 CREDAT:3355749 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:2612
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:3945627 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:10016

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d4f50,0x7fef65d4f60,0x7fef65d4f70
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1076 /prefetch:2
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1784 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2432 /prefetch:2
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3268 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3152 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3724 /prefetch:8
  2⤵
  PID:6200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:7820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3816 /prefetch:8
  2⤵
  PID:10788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3092 /prefetch:8
  2⤵
  PID:8928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2224 /prefetch:1
  2⤵
  PID:10228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2316 /prefetch:8
  2⤵
  PID:6304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1064,7048534512003668203,2653526356970321332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 /prefetch:8
  2⤵
  PID:6952

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
- Suspicious use of WriteProcessMemory
PID:592
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:1924

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:1292

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1928

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2536

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2596

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2624

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2636

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2664

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2684

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2728

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2816
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2384

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2796

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3140

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3196

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3164

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3412

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3476

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3552

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3716

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3856

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3888

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3992

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3972

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4012

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3296

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3252

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3416

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3460

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3528

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3208

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3928

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3476

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4092

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3432

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4104

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4124

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:4172

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4220

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:4304

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4316

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:4376
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:4416

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:4392

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4440

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4460

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4748

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:4784

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4852

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4920

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5036

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5060

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5020

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5068

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5092

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4112

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4160

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:4452

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4468

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2376

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:4712

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:4976

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:4388
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:4708

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4736

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2376

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:1608

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2956

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:2396

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:5152
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:5172

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl",
1⤵
PID:5192
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\timedate.cpl",
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5208

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:5244

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:5284

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:5292

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:5300

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5328

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5348

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:5356

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:5388

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5508

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5564

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:5608

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x630
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5628

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5780

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5796

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5952

C:\Windows\system32\SndVol.exe
SndVol.exe -f 45548051 14854
1⤵
PID:6012
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" mmsys.cpl,,{0.0.0.00000000}.{34bbb4ff-b004-4b30-8cc1-cd057d67a399},general
  2⤵
  PID:6080
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL mmsys.cpl,,{0.0.0.00000000}.{34bbb4ff-b004-4b30-8cc1-cd057d67a399},general
    3⤵
    PID:6104
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" mmsys.cpl,,{0.0.0.00000000}.{34bbb4ff-b004-4b30-8cc1-cd057d67a399},general
  2⤵
  PID:5156
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL mmsys.cpl,,{0.0.0.00000000}.{34bbb4ff-b004-4b30-8cc1-cd057d67a399},general
    3⤵
    PID:5220
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" mmsys.cpl,,{0.0.0.00000000}.{34bbb4ff-b004-4b30-8cc1-cd057d67a399},general
  2⤵
  PID:5272
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL mmsys.cpl,,{0.0.0.00000000}.{34bbb4ff-b004-4b30-8cc1-cd057d67a399},general
    3⤵
    PID:5424
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" mmsys.cpl,,{0.0.0.00000000}.{34bbb4ff-b004-4b30-8cc1-cd057d67a399},general
  2⤵
  PID:840
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" mmsys.cpl,,{0.0.0.00000000}.{34bbb4ff-b004-4b30-8cc1-cd057d67a399},general
  2⤵
  PID:4420
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" mmsys.cpl,,{0.0.0.00000000}.{34bbb4ff-b004-4b30-8cc1-cd057d67a399},general
  2⤵
  PID:5268

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6024

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL mmsys.cpl,,{0.0.0.00000000}.{34bbb4ff-b004-4b30-8cc1-cd057d67a399},general
1⤵
PID:4528

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5204

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5484

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL mmsys.cpl,,{0.0.0.00000000}.{34bbb4ff-b004-4b30-8cc1-cd057d67a399},general
1⤵
PID:5504

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5624

C:\Windows\System32\msdt.exe
"C:\Windows\System32\msdt.exe" -skip TRUE -path C:\Windows\diagnostics\system\networking -ep NetworkDiagnosticsPNI
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:5716

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:5692

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:5296

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL mmsys.cpl,,{0.0.0.00000000}.{34bbb4ff-b004-4b30-8cc1-cd057d67a399},general
1⤵
PID:5460

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6112

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:5336
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hva2tpsz.cmdline"
  2⤵
  PID:6052
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES322A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3219.tmp"
    3⤵
    PID:1916

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:5288
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5288 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:5936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:5384
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5384 CREDAT:275457 /prefetch:2
  2⤵
  PID:6116

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:5300

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:5868
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:1340

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5244

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5476

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4500

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:6220

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:6236

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:6252

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6308

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6372

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6496

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6512

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6652

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:6724

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:6764

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6780

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:6808

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6800

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:6860

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6880

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:6972

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:6992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:7016

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7044

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:7032

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:7140

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:7148

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:7132

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6216

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:6212

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:2736

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:6632

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6856

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6812

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6256

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:6352

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:7144

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2268

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:7020
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:6636

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2736

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:7104

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4192
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:924
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
  2⤵
  PID:6608
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:5612
- - C:\Program Files (x86)\Windows Media Player\setup_wm.exe
    "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
    3⤵
    PID:1888
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2400
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:1324
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:275457 /prefetch:2
    3⤵
    PID:7336
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:1904
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:2888
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:275457 /prefetch:2
    3⤵
    PID:7436
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:6284
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6284 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    PID:7428
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1700
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4556
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:4000
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2904
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:952
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:6728
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6728 CREDAT:275457 /prefetch:2
    3⤵
    PID:7448
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:7644
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:7732
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:7752
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7764
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:7896
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:8124
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:7560
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:7664
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:6788
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8080
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7872
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:8276
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:8408
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:8632
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8660
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:8708
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:8680
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:8648
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:8756
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:8784
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:8808
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:8864
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8856
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:9060
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:9120
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:9148
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:9156
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8264
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8400
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:9136
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7116
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:9372
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:9476
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:9664
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:9748
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:9828
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
  2⤵
  PID:10208

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:9808

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:8848
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2124
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6624
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:9908
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:7632
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7632 CREDAT:275457 /prefetch:2
    3⤵
    PID:8720
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:3136
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5940
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:5608
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:4964
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4964 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    PID:3396
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:8152
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8152 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    PID:6148
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7184
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:8908
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5316
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7956
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:8420
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:10220
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:3036
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:9504
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:7600
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  PID:10340
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:7728
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:7204
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:11252
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:8440
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:10620
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:10680
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:10748
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10748 CREDAT:275457 /prefetch:2
    3⤵
    PID:10724
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:10664
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:10092
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:3116
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10732
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10336
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:7036
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:428
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:10560
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:5200
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:5892
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:5696
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3504
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3504 CREDAT:275457 /prefetch:2
    3⤵
    PID:3836
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:10456
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:6692
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:1844
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:3080
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11212
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:3772
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:8640
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8640 CREDAT:275457 /prefetch:2
    3⤵
    PID:8352
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:1596
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:10656
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:9192
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:8460
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:9824
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9824 CREDAT:275457 /prefetch:2
    3⤵
    PID:9276
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:860
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:760
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:275457 /prefetch:2
    3⤵
    PID:9864
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:11068
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:4268
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:11060
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11136
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:7308
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10648
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" /name Microsoft.NetworkAndSharingCenter
  2⤵
  PID:6552
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:5424
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5424 CREDAT:275457 /prefetch:2
    3⤵
    PID:10192
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1928
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
    3⤵
    PID:7480
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:1728
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Videos\Sample Videos\Wildlife.wmv"
  2⤵
  PID:960
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:2520
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:8508
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:4652
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:3864
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3864 CREDAT:275457 /prefetch:2
    3⤵
    PID:8540
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11220
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10880
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:10968
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11028
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:11276
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:11288
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:6644
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6644 CREDAT:275457 /prefetch:2
    3⤵
    PID:11408
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:10872
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10872 CREDAT:275457 /prefetch:2
    3⤵
    PID:10108
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:5280
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:10920
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:5228
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:7820
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7820 CREDAT:275457 /prefetch:2
    3⤵
    PID:8088
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:4752
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:12276
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1880
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:275457 /prefetch:2
    3⤵
    PID:12136
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:2348
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:11844
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:11844 CREDAT:275457 /prefetch:2
    3⤵
    PID:11448
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:780
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:780 CREDAT:275457 /prefetch:2
    3⤵
    PID:11592
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:6464
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:11720
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:5620
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:2128

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5528

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
PID:2344
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2344_1287719316\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2344_1287719316\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={ae9d199e-5da1-4741-a9b7-1ec258bc6158} --system
  2⤵
  PID:5448

C:\Windows\system32\prevhost.exe
C:\Windows\system32\prevhost.exe {914FEED8-267A-4BAA-B8AA-21E233792679} -Embedding
1⤵
PID:11388

C:\Windows\System32\xpsrchvw.exe
C:\Windows\System32\xpsrchvw.exe -IPreview -Embedding
1⤵
PID:11892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
1KB

MD5
491b16cb53161459040a97502a7acdc5

SHA1
6b3ca1c8d767d8f34c6a661382dc033d56a8872d

SHA256
a4960b10b23652117013557bfcee711484609be1fcd323144be0fa0ca5535599

SHA512
07ee69aecffe1b077fdb23310a902e3cc4864c601f601fe1276308469babe6a489e7c97fc81bede3fc152dd50f330868239c4e3044cd3729e048a2472300435b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
7ea6337f58b680fa53a01c7c5f9d3bb6

SHA1
4c1660b9b6281030aff60c192549a1f4fae7e5ce

SHA256
2d33ec0117ab35f7bc2b251098faec605109d36296acf6f24e445977e8bb33fe

SHA512
452537b2e95a5ab69d1b19c43400acbd569ab14d2adb7d9900758d03bfc490322ccb057fb9b076f55cf796fb52abaa39d8138f9f0b8670dff8e63b4abef59069

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
416B

MD5
c70327720550d084d2c540cdac70c78b

SHA1
a0b953fd0d735ca4f51b508ffebd07b0252c928d

SHA256
09eccabae18f4d25903f796e8fa38a9141fbeaeb1a0b8c143e908ec13f1b932c

SHA512
bc1370f0e0b89ea367686e64d0dc27bfabc622d1b9904ea272e0c3a8151c45589ae436924e2c504f10825e378a6807cef9ba5c48016a47e90d97492d4e4552b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84925bf61a486e2074f8c71818af60b2

SHA1
fd65a2ed068450f5271921fafd60219d9b89bff2

SHA256
a6ae08b1fb0f59c0ae7876f266dae587dcffc3a9d987ce1762dd3c720a610b50

SHA512
45da8e14e79368d5a2a85f41f61dcf6d607152d131da5ba9b61c4e4216606d819adfbfcd60015da24d66010db6d231df2453e70858c733e4504ca7d60f9335b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
deb7cc81bd677844e43882716fe54e29

SHA1
5910086ba81d787973e66384b41369414bd18bca

SHA256
c45984bea9e30759b43a956a71e0980bba17eadd5230549c1a2bc4af38de3c3e

SHA512
1d991242d7a3cf687efa1a285bcdffe5822b21028c29d5dcf2a309d2453c75932e834b41229c83071253b33d61c1bd8244280668373360b923f73edf9f809fb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1e87fe2d3d4abf4b7a6d4348250d314

SHA1
bbafd48db640443f26d369f9a8b54733c12771b1

SHA256
012f355ec765ba446dc6fab43cbcef32ac8fe66ba8dc9ea610cfb87fc949e93f

SHA512
83d3e0ea4fcc558012b88548fa8e4f162c881e7a04a502d84ab4c0b13c79248a6f88f842fc705a96ad1fa62fe2481d8f5ecb46c696b7ce8964da815f2b9687f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a1661141f4b07a298a3d9f69cadabb1

SHA1
2764aea107eab5359e1cdd7a8a582ebf410944e1

SHA256
19385c9b45ecb5819c72c2c0f7080a2cab3859ba50889ba22b06101c6494d84b

SHA512
d5d25826e1851969a3a58df1e6c39bb09b83198a64b9a6d00003124da29040f67db10521ff4e180a45bb2be5a0f81afafe5071000d80a74aa2befba5ea42faa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f6f384142851fb92f971f2fc5cab953

SHA1
dff0ff25cd259da157b94c528731ba0cee2c04ed

SHA256
e8289a83aff921390308f0b578bc2468b73b68e762eda453e970b9b34d587b9f

SHA512
0af5c7c143f1ae978326744dc61913b7fd3be0a6d05da046af86d431bc213b4210766ddfcdb82e34e311b0e0e419a46afab15d07c6928dce5a11652aa946c07a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2897b0d08bdb90646a9f89b1cae2e760

SHA1
5e13d2cc2405a9c4471a11d6725c9b86e08a18a4

SHA256
b1998eb6b370b3742b14e234ee858c95f41bd4eea85917042bf2b17ccf9d92af

SHA512
c4d04309c600dcfca50cee17e165cf7563924060435ea264f8f392dbebcabffe72240163db15779a7dbdfa0f085f3d6501cab1fc618ddeb788579c7eb1823c08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49d6e1fc020a79e908958d420264899b

SHA1
3e5587fd5c722a455380281c39f7eb50a85c7760

SHA256
6a4c19ff835e7b9952194fbadae8a57e033bca234ea3a81946b5a739d9f075b8

SHA512
ee6d5904a336b79c572e225d4fc2a158f33f0fa38d5387eb5d188f05e70473e36afdf61761b6ce229afcbb503105d82728e65c274a979579906c0581905d2acb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b3a115739bbf6b07558f4a45e03fda0

SHA1
dc0431a089772e197bef50345a8fd8291817550d

SHA256
a574c0ff8d9d31665fffad3e4bc4cd26b9b64db1791575f746a98b8d45b2c67f

SHA512
bec31159f9451310401466cdfd3191a32826ceebcbaefa6eff81c5ebd44bb7fab161a48b28eea122990c74e651d2eab07965d51218ce000f843931b4ba4935af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bdbd567a1a83a39438999d742ed6db1

SHA1
9708c2df7c739f78636011f12606b210ec575386

SHA256
3c407c0fcb795d28bb0e0b5e766c94e146cbd7950e126e0b64c0e8a84e9f3e9c

SHA512
b9611b89e36c518c395940301ac6021f6e96f89c0893baa1730d29ee6135ebb1cc446270e99bdaa2b74189b8e615d33a07fddbbd48eb799c17959123368ed2f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05acc67681573bb44a06aa4c474d6fe2

SHA1
4f9eb1392fa701c42dc3a84e2baadb589e1b17e2

SHA256
5f78e3e1477e7d6a78bc3c029d1b4c336b7e5bfd6f38fd9e87275e6fb1de6597

SHA512
93c14709e1b90943d3dcf77c00d6d3ba530c3603cd8189dfeb79a3469b683435f20e69006e8322a4eed25c8ae304a1d5dc8af821af302c0a7aad12d5099073f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2852f384bb74a24ad7437729eede07e9

SHA1
0dce65856cb551796dc91d1ff9edd7242acd2be0

SHA256
4b931a6f21d8ef82f36df13648a7e9d031a780cb9c2b4b2818fa2b1b2affd0ee

SHA512
c3018762369cc1f2863b5eaf18c8963a95161e5425f4967cfee925d8691ed45b6fc902ecec12e7ed05a0755fc703cca1e88bd0346a678366023c8fe0931445f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c95f289212afb2abdb9d33fc7566a340

SHA1
70d23df9664046a1527c1c7d98acf67cf6933573

SHA256
cd47eb915b99b4062230055cbeca5519c7bec074812cdf2bba2eec00de169a92

SHA512
ff6e3f0407b00f49dfef2c8d2379220ec1b985b8e848750c093bc603ad84f943ee09e17be61ed05fdf51df1bd4d81c8d609d42f7062b8a616598d641eb4d974b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85236e7b621b04324c1a3bb09e8cba2c

SHA1
61e9b552bf6d2a6ad564cad792be18e36ff31535

SHA256
49a1eb2af495ff7d5a7c55179187611eb6ba3dd8b43fc5daa1c34af632fa5923

SHA512
f4e33285c26a6b639678bfc4c150a718efb2fddcfac7baa57a7f415aa2a58b82a9471149245e7cb5654d571c2cce64562f468b7c82e1bbaa5c91a27d4825d079

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e012269dbd4643cfc6ee794e103f85e

SHA1
958fe5fda43cdbf267c7d8417b5e417f77d26ec7

SHA256
bbbce75a431ddf4176106bbb1ca60c6f298cb8444f4354716a968fc1c7388ce2

SHA512
97d28a63b31e876348de62286707a86f558470bfa7f9f39cf03f74b88174f2b4ceeb203a6ed373f0142b816c9414f0e348b681784b157f3fdd336c333b250c65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74e241c796f0c3e9f9fcc20bad2b3f85

SHA1
a9de486172d790611c30565806d8288b355d6361

SHA256
71f213298f2783894cf3eeaf2c07f51244c6eb4ac8da61435b6da885821aceee

SHA512
29ec13d4ddb27644319561b79b73bcfde41abff7160468df8f5858bbd221a135a30dd77cfb109b1c089f9b3927e81e85789363bd43618805e56434d07d6c712a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa3b3d4d8a22fd7ef7520c21d9e40373

SHA1
570ba8158e560124d26bc0befe4ac881485e4ea9

SHA256
5affcf5087859e81ce5b3d1f4b8d269d9d8ea9b9cc51bfd1b207265e1b767495

SHA512
acd2e1e2e76a9055a99733c6686dd08db07a6f97710b60ed18fc402d5206b80657c6a16a4aa68e9d6d108e1ac2eada09e1e3b16d29a773fe0a7dba4aba7a8c20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a546c9014e32f7244caa0a01d6ca2f4

SHA1
8f6be8ff2cf7469082290ad0b5072b0f6b119608

SHA256
febf67bac1deadb681c29d5430f84684d3d79f109e75d62168ad26130be82a53

SHA512
f1a748e67225b751237afe4d35ae9b8977a99c93d47b373794f346a0e5da988c679120eafb8f7683fddd76b76f23f1193223355c8794dab2f0c240a15f142b2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
04cb557a32fc520c9e2a844fc4483fb2

SHA1
5187abe42635126f196e90f22c34774d6700c10e

SHA256
292db14d0253761fc2a911018666cbea9bcbd10b15dfb8dd52cc59145b960edb

SHA512
9a4fb213b154c04d8b0058955ddad6c89168147138027df56ff87ad0bf9cc8f161e18e1ec64969f92144879a33adc223ff3877f743340b1c6d751ee500505341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0D209CC0-47F8-11ED-BF3D-D6AAFEFD221A}.dat

Filesize
5KB

MD5
e8dd8f3a7ae4bcfdccad3c8db868f264

SHA1
96a883834500c79899b7c25756b03847b8a10607

SHA256
6874053f5c3878877b5aff3d70a65c15762ff2342e9c9e8cdebf465298443c23

SHA512
57d08d922cdb0fc24b46f0b10e4f96553fe939d2ad65feb1a7fc8c2542497e0fcbf3a3863e5c15c267839ab4713767fa1f2cd7a91291ba5c16fcd756143ce0b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0D453BC0-47F8-11ED-BF3D-D6AAFEFD221A}.dat

Filesize
3KB

MD5
214f191c1ec2987d263a3b36ed805a63

SHA1
bbddebdd24e9a7fb5c5ab2e83c2ce3e1d219dc4b

SHA256
e0939a413835f573ec875303536b97eab89b0be7b689611854ac748600ab8025

SHA512
8ad82f294b166029fd88374a164dca7f17199023b2b1ce7edbb8b905bb066198fa64cf4edc5a2b2ede0e1a5a4c213081a5f09cca2135378557af41236a808f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4EB95E11-47F8-11ED-BF3D-D6AAFEFD221A}.dat

Filesize
5KB

MD5
a506c61b2cf89d74d101ceed34ebb2ec

SHA1
7b8083a918786aeb7a201e4821e68451d8aba390

SHA256
3a3283a7b76b07e0f4bb57c72252cf71baf8fef64e0cbd0d1a1e8293c7aa67fd

SHA512
3a2e9ca22356e7a428a9c2ba4b03e9cde2c6815b125534944fdd151328ef5b6446cf65039b88ac30ced5077cf74a7cebe79358bed6a9f6584a92d2da7e735bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4EB98521-47F8-11ED-BF3D-D6AAFEFD221A}.dat

Filesize
5KB

MD5
3dd4b375bc5f7f6970c3cac8699be5e7

SHA1
036b5c2910c1340be9e8355102430c961f8aaf9c

SHA256
f01cac2f2f2d6efeaed7201d3bb9b3ad10345373b01b8f07bf15841b56bd7a48

SHA512
a8085975184bc22c14838f2980120c7b564687380931f925a6533a5a543363fece9957adb587326698b7ec06f49e699e4528ad6200000fc6f386cf9d15a457dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4F167231-47F8-11ED-BF3D-D6AAFEFD221A}.dat

Filesize
5KB

MD5
e60880cd41a0345de74587edacf1312a

SHA1
a69e34c580c2a177377630cda98bd3cb30f837a8

SHA256
8721250dfda5a5a65f378ae5ee0ca5c50d23edd91971e543db498bb6e40b1188

SHA512
838b31c6db91bb45a7131b440ba9e39222cfc0bfe554004b3dd6361c43b0520bac16c785ad57dbe9bd165d9b9a33a181486437d70310295bc4dadd321224f949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5436B3B0-47F8-11ED-BF3D-D6AAFEFD221A}.dat

Filesize
3KB

MD5
186b50eff4e55905bbdf35281b5309a5

SHA1
4974447a5887ae35816af098e8d563c1d0ec7e0d

SHA256
dbca4ab00ce7888f09cb9841299b066e2d1ae03af49cc7dfff4e06b106cac679

SHA512
0614344c6497d3e4fa75db3fc97f7352cc7be76f9ea89daa971645e59d90dfe45ac3ebc02e348cbd145775fd49f76b1029a55e400b37683df041404505f6e968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E58A8C71-47F7-11ED-BF3D-D6AAFEFD221A}.dat

Filesize
3KB

MD5
9e9cbd4253f57216be426f598b8df190

SHA1
560a5ee2787a3dbdec18f2cb198d02045b286f99

SHA256
5908aafe2ee732e1e2911e232f56e5a4d531764aad72ea18bd5f97e200ce121b

SHA512
e71c49b25e7a9de080dd1d00187171962d3f00b26bea38fb31d3e6240d3b6d8a7273645f8efe3986405854e49af4f8df14bb32a89663fae55030be4b29a5a1f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E597F9F1-47F7-11ED-BF3D-D6AAFEFD221A}.dat

Filesize
5KB

MD5
9b766640cd0d00ff2d34b822104c93db

SHA1
e843ca35007e11a55cf0d0a34cc408574eab9101

SHA256
0ca11a260ecefd38873ba0663fa61b0d77a18a90500a21a3849947bd75461d9f

SHA512
50f671f39d374941142ae592b8e594ef9ab0424f0671ae5f5cc4c16cf4e030c255ebfddc256f2873a10a5a1902a0db389d2e636bf69cc760998d1b8bc9c2525c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E597F9F1-47F7-11ED-BF3D-D6AAFEFD221A}.dat

Filesize
5KB

MD5
8f8c8ba542c4ece4ae75152a8dd998aa

SHA1
3efb4015eaf53c0cfcac5f2b43dc0ad238df8d85

SHA256
8bf752957910bb5b62ed4b776316fa1e689e1b6ecc7195b142003ff641dd165b

SHA512
8330e33ddd574a00a060a3c0ac47b647c510ed6e55e6c37c176acb3738958d7fcf331a9ec43c4cb0f65c80f18089229f63e242e13dd69423e87a0931827cfd79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
8KB

MD5
99b1846c1a6508fdb831ec0cd1caec19

SHA1
5bb4682cfc34590dc2f697db4622ba7334c7bef9

SHA256
346ca9064db1a1eaadc3027a57e3a73666fc89ca050a47a5367443fe53bb3269

SHA512
520808d5cfa0e83a080a44be6df06485259ad58d7d2393771f0c9010b61bb273c33d0f5da094e021a6524b6c95590d8599af1e5b76426e1b29e3e19538e8b64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES322A.tmp

Filesize
1KB

MD5
aa82d58e3b30d8e43ce0415b16fdd614

SHA1
3a974460cb650e9f2deea6ce0639d80ca33fa53f

SHA256
c641e2654c014e93d9ffa1028421d7c741f6e2eccf8285d320f5f0e7529a54f9

SHA512
48a260d4cb52fd5978e8e3dc3ecc3256db9420e050f9a28356f48e9a39fcb496ec2b39e1034b04c452a49fee743887b2a8698451f9ed1506f3334dedd2870dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hva2tpsz.dll

Filesize
3KB

MD5
44acd7afb56f01282bd4fac1773e5b7b

SHA1
4ef47bb8d361d78ea6bb23f86bd4cebd5c084eff

SHA256
22719ae7bf592eeee046ba1448b98f9f78c1518a66ffdc918a917df93ac70911

SHA512
abc44f8b27cb30fa793411bbc65ce2d89d22070ee8758f7ed2f234d5b22aaae60abb2777aeeb13586f9de030902b2f4a8c31c06ecece8662dd2d2d35f14982cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hva2tpsz.pdb

Filesize
11KB

MD5
e503ea94c8f1a62a0e0d39d473ef76e1

SHA1
7941a3047a720aaad11dc3b84702ab51e4bda1da

SHA256
7f94b77962511c233c821c2eaca0f4954b64830231e59a7a186c9ba371e5accc

SHA512
287327b58f6abf3df058fca06fec0a27ca085fcc195edb0dde71182471ea905cccbece660090b134b10469711c6ba97e73ea85d74e27e14e67057b9e701a0b76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2DKB9EXI.txt

Filesize
608B

MD5
f0f2aba5eab917bd64ce6740cf5a91e2

SHA1
fe7bec55a807ba05ff9d1622f5a6cd068a09a71d

SHA256
9731bad290dd65fb62f17b3d05ae8d7e9b439be524b6f5a5c44e82fc8b58f935

SHA512
8fd91a1a61426e392210a5eea155451f69a051e6f505e55cda860035717006da81029708776f6071f46f3ede38bb478767a5a49c35df863cd7fc2cebff8e2a93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2YGIYWYR.txt

Filesize
110B

MD5
4b84338a26c594a216cf6e6750308d8f

SHA1
f9fccc33a5ff4e150fdc92077169ab64c37da66b

SHA256
72e838895fd3351c72814ac3bd75cbc91f7cd836ae70d49994e40c7fa11d7d99

SHA512
f962c9695d786289c9575f8c4676ac58e03eb3295ed87d41b040296e65edb1b927ac8090b736f9a6a401f2b296c8dd572d441a4a9acd77f9e21adf43cdb53cf4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q4UHTP5J.txt

Filesize
607B

MD5
ad285772644116f3fe3a6709011befe4

SHA1
b121b3e9b6bea270f497337841c000cadd7c933b

SHA256
bc61f5b31b7244dadb96abecd2124012c2cb9f2dc2079179fe29810a0bd74596

SHA512
184731efa798ea61974f1d231a20e8c1a88bdafd8175fb9b9d009275d043daae0c03745ce1b75351caa7ed8a431d54df281de78a31264def4bb001d1e0efdfe1

Download Submit
C:\Windows\TEMP\SDIAG_ee230767-bccb-4b52-9d3b-3c6b100bcd5d\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
1d192ce36953dbb7dc7ee0d04c57ad8d

SHA1
7008e759cb47bf74a4ea4cd911de158ef00ace84

SHA256
935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

SHA512
e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

Download Submit
C:\Windows\TEMP\SDIAG_ee230767-bccb-4b52-9d3b-3c6b100bcd5d\UtilityFunctions.ps1

Filesize
52KB

MD5
2f7c3db0c268cf1cf506fe6e8aecb8a0

SHA1
fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

SHA256
886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

SHA512
322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

Download Submit
C:\Windows\TEMP\SDIAG_ee230767-bccb-4b52-9d3b-3c6b100bcd5d\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_ee230767-bccb-4b52-9d3b-3c6b100bcd5d\en-US\LocalizationData.psd1

Filesize
5KB

MD5
dc9be0fdf9a4e01693cfb7d8a0d49054

SHA1
74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

SHA256
944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

SHA512
92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3219.tmp

Filesize
652B

MD5
2b07457744fab1d06e39a5e895ecf051

SHA1
c2407f6ae7f6b022f7e3b226b9afe72e12bf2b3a

SHA256
ce40e6e6a816b9a7aa5c8e5b8fe98060104cd8e7e311a44c3eef09fc17711580

SHA512
7790759116353fdccb5cf1d9b043f5ec195a24117b080770286886d1e73b82dccb98afecb73ed3fe2b647fcd832756253c9a506ee54d137d8dadd64a2c1a5db4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hva2tpsz.0.cs

Filesize
1007B

MD5
bac2724be827ee042ff2b312050aa844

SHA1
ca34fd2feb835c8746ad1bec6de9a24cc1368595

SHA256
6901eb7b1a34580f7ae741d2a0d09bfa0e85e0b2cbd945d961291e6f4a02bd33

SHA512
3e7b6d91ed41007b471c93015c7c8900c7141766d7a83b394fabceac93f91cb4b37ed06abc3371f96b314355aa4facf9e0214d7dfcb7faa0018db02ad0a970aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hva2tpsz.cmdline

Filesize
309B

MD5
d1680308ef75002eaeecd2e367380207

SHA1
422967b42124984fa2adca21394049066953b3b3

SHA256
41cb57fbefe450edee8373b57ae7e1f81e430a6dca02e65c46050e9a15603bcd

SHA512
b9aa6eb4cdb3d10282a8aabac67793186ae252e813cc32c4b84e0ea8fcb5e1bf1bc8b21b8a9b0b4c9e4700cfb060f2c545527a6c4be3a53aae3dad760eabb5a8

Download Submit
memory/592-55-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1292-57-0x0000000070501000-0x0000000070503000-memory.dmp

Filesize
8KB

Download
memory/1292-60-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1292-65-0x0000000068421000-0x0000000068424000-memory.dmp

Filesize
12KB

Download
memory/1292-127-0x00000000714ED000-0x00000000714F8000-memory.dmp

Filesize
44KB

Download
memory/1292-62-0x00000000714ED000-0x00000000714F8000-memory.dmp

Filesize
44KB

Download
memory/2036-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/8848-370-0x000007FEF4260000-0x000007FEF43A3000-memory.dmp

Filesize
1.3MB

Download
memory/8848-433-0x000007FF69EB0000-0x000007FF69EBA000-memory.dmp

Filesize
40KB

Download
memory/8848-432-0x000007FED8430000-0x000007FED8573000-memory.dmp

Filesize
1.3MB

Download
memory/8848-426-0x000007FF69EB0000-0x000007FF69EBA000-memory.dmp

Filesize
40KB

Download
memory/8848-425-0x000007FED8430000-0x000007FED8573000-memory.dmp

Filesize
1.3MB

Download
memory/8848-375-0x000007FED7BB0000-0x000007FED7BBA000-memory.dmp

Filesize
40KB

Download
memory/8848-374-0x000007FEF4260000-0x000007FEF43A3000-memory.dmp

Filesize
1.3MB

Download
memory/8848-371-0x000007FED7BB0000-0x000007FED7BBA000-memory.dmp

Filesize
40KB

Download