2e80059a92e23f07ece25cd25f4e855cb01c8623a5ca9d8d63756c2273368563

max time kernel
129s
max time network
144s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fucker script.exe
Size

104KB
MD5

db0655efbe0dbdef1df06207f5cb5b5b
SHA1

a8d48d5c0042ce359178d018c0873e8a7c2f27e8
SHA256

52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56
SHA512

5adc8463c3e148a66f8afdeefc31f2b3ffeb12b7641584d1d24306b0898da60a8b9b948bb4f9b7d693185f2daa9bd9437b3b84cebc0eabfa84dfcef6938e1704
SSDEEP

1536:m5iT3FccnYWkyjWpOku3yUyJCbyVAvy7+fRo:3LOcxkyjW3wvHq

Score

6^/10

collection

Malware Config

Signatures

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "290"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Docked = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\ErrorState = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksExplorer	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup\margin_bottom = "0.750000"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Path = "C:\\Users\\Admin\\Favorites\\Links\\Web Slice Gallery.url"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\AutoHide = "yes"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1048343b94ddd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\ErrorState = "64"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "270"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Handler = "{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Expiration = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\ErrorState = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayMask = "4"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup\margin_right = "0.750000"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup\margin_top = "0.750000"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Expiration = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup\margin_left = "0.750000"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\ErrorState = "64"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 9e0000001a00eebbfe23000010009fae90a93ba0804e94bc9912d750410400002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbeebaa2b0b4200ca4daa4d3ee8648d03e58207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "7"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 14001f44471a0359723fa74489c55595fe6b30ee0000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\NodeSlot = "5"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\TV_TopViewVersion = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0 = 5e003100000000002155f56b10004d534e5745427e310000460008000400efbe2155f56b2155f56b2a000000313e00000000020000000000000000000000000000004d0053004e00200057006500620073006900740065007300000018000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000020000000300000004000000ffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0300000004000000000000000200000001000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\TV_FolderType = "{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000000000000200000001000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = 00000000ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\MRUListEx = ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0 = 200000001a00eebbfe230000100061f77717ad688a4d87bd30b759fa33dd00000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000020000000300000004000000ffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 42 IoCs

pid	Process
968	OUTLOOK.EXE
2276	vlc.exe
2348	vlc.exe
2360	vlc.exe
2380	vlc.exe
2412	vlc.exe
2712	vlc.exe
2812	vlc.exe
3296	vlc.exe
3312	vlc.exe
3480	vlc.exe
3800	vlc.exe
1688	vlc.exe
3616	vlc.exe
2704	vlc.exe
3732	vlc.exe
4664	vlc.exe
4716	vlc.exe
4892	vlc.exe
5080	vlc.exe
4400	vlc.exe
4660	vlc.exe
5272	vlc.exe
5300	vlc.exe
5792	vlc.exe
6124	vlc.exe
5280	vlc.exe
5252	vlc.exe
5736	vlc.exe
4012	vlc.exe
6396	vlc.exe
6504	vlc.exe
6820	vlc.exe
7144	vlc.exe
6260	vlc.exe
6496	vlc.exe
7172	vlc.exe
7404	vlc.exe
8036	vlc.exe
1072	vlc.exe
2904	vlc.exe
8604	vlc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1036	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 41 IoCs

pid	Process
2348	vlc.exe
2380	vlc.exe
2412	vlc.exe
2360	vlc.exe
2276	vlc.exe
2712	vlc.exe
2812	vlc.exe
3296	vlc.exe
3312	vlc.exe
3480	vlc.exe
3800	vlc.exe
1688	vlc.exe
3616	vlc.exe
3732	vlc.exe
2704	vlc.exe
4664	vlc.exe
4716	vlc.exe
4892	vlc.exe
5080	vlc.exe
4400	vlc.exe
4660	vlc.exe
5272	vlc.exe
5300	vlc.exe
5792	vlc.exe
6124	vlc.exe
5280	vlc.exe
5252	vlc.exe
1560	iexplore.exe
5736	vlc.exe
4012	vlc.exe
6396	vlc.exe
6504	vlc.exe
6820	vlc.exe
7144	vlc.exe
6260	vlc.exe
6496	vlc.exe
7172	vlc.exe
7404	vlc.exe
8036	vlc.exe
1072	vlc.exe
2904	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2044	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2044	AUDIODG.EXE
Token: 33	2044	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2044	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
2348	vlc.exe
2360	vlc.exe
2412	vlc.exe
2380	vlc.exe
2276	vlc.exe
2712	vlc.exe
2812	vlc.exe
2348	vlc.exe
2412	vlc.exe
1560	iexplore.exe
2360	vlc.exe
2380	vlc.exe
2276	vlc.exe
2712	vlc.exe
2812	vlc.exe
1204	iexplore.exe
2276	vlc.exe
2380	vlc.exe
2348	vlc.exe
2712	vlc.exe
2812	vlc.exe
2412	vlc.exe
2360	vlc.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
2348	vlc.exe
2412	vlc.exe
2360	vlc.exe
2380	vlc.exe
2276	vlc.exe
2712	vlc.exe
2812	vlc.exe
2348	vlc.exe
2412	vlc.exe
2360	vlc.exe
2380	vlc.exe
2276	vlc.exe
2712	vlc.exe
2812	vlc.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
3296	vlc.exe
3312	vlc.exe
3296	vlc.exe
3312	vlc.exe
3480	vlc.exe
3480	vlc.exe
3800	vlc.exe
3800	vlc.exe
696	chrome.exe
696	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1560	iexplore.exe
1204	iexplore.exe
1560	iexplore.exe
1204	iexplore.exe
968	OUTLOOK.EXE
968	OUTLOOK.EXE
968	OUTLOOK.EXE
968	OUTLOOK.EXE
2276	vlc.exe
2348	vlc.exe
2360	vlc.exe
2412	vlc.exe
2380	vlc.exe
2712	vlc.exe
2812	vlc.exe
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE
1560	iexplore.exe
1560	iexplore.exe
1560	iexplore.exe
1560	iexplore.exe
3296	vlc.exe
3312	vlc.exe
1560	iexplore.exe
1560	iexplore.exe
3480	vlc.exe
1560	iexplore.exe
1560	iexplore.exe
1560	iexplore.exe
1560	iexplore.exe
3224	IEXPLORE.EXE
3224	IEXPLORE.EXE
1560	iexplore.exe
1560	iexplore.exe
3224	IEXPLORE.EXE
3224	IEXPLORE.EXE
3800	vlc.exe
1560	iexplore.exe
1560	iexplore.exe
1560	iexplore.exe
1560	iexplore.exe
3840	IEXPLORE.EXE
3840	IEXPLORE.EXE
4052	IEXPLORE.EXE
4052	IEXPLORE.EXE
1688	vlc.exe
1560	iexplore.exe
1560	iexplore.exe
3616	vlc.exe
3872	IEXPLORE.EXE
3872	IEXPLORE.EXE
3840	IEXPLORE.EXE
3840	IEXPLORE.EXE
2704	vlc.exe
3732	vlc.exe
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
4184	IEXPLORE.EXE
4184	IEXPLORE.EXE
3872	IEXPLORE.EXE
3872	IEXPLORE.EXE
4664	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 1576	696	chrome.exe	32
PID 696 wrote to memory of 1576	696	chrome.exe	32
PID 696 wrote to memory of 1576	696	chrome.exe	32
PID 1560 wrote to memory of 1940	1560	iexplore.exe	34
PID 1560 wrote to memory of 1940	1560	iexplore.exe	34
PID 1560 wrote to memory of 1940	1560	iexplore.exe	34
PID 1560 wrote to memory of 1940	1560	iexplore.exe	34
PID 1204 wrote to memory of 1976	1204	iexplore.exe	33
PID 1204 wrote to memory of 1976	1204	iexplore.exe	33
PID 1204 wrote to memory of 1976	1204	iexplore.exe	33
PID 1204 wrote to memory of 1976	1204	iexplore.exe	33
PID 1748 wrote to memory of 988	1748	wmplayer.exe	37
PID 1748 wrote to memory of 988	1748	wmplayer.exe	37
PID 1748 wrote to memory of 988	1748	wmplayer.exe	37
PID 1748 wrote to memory of 988	1748	wmplayer.exe	37
PID 1748 wrote to memory of 988	1748	wmplayer.exe	37
PID 1748 wrote to memory of 988	1748	wmplayer.exe	37
PID 1748 wrote to memory of 988	1748	wmplayer.exe	37
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 556	696	chrome.exe	38
PID 696 wrote to memory of 1036	696	chrome.exe	39
PID 696 wrote to memory of 1036	696	chrome.exe	39
PID 696 wrote to memory of 1036	696	chrome.exe	39
PID 696 wrote to memory of 540	696	chrome.exe	40
PID 696 wrote to memory of 540	696	chrome.exe	40

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Users\Admin\AppData\Local\Temp\fucker script.exe
"C:\Users\Admin\AppData\Local\Temp\fucker script.exe"
1⤵
PID:1308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1204 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1940
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:406533 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3224
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:799749 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3840
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:2634756 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4052
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:2372617 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3872
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:1192968 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4184
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:799766 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:4948
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:2569244 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:4940
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:2896912 /prefetch:2
  2⤵
  PID:5432
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:7025691 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:4912
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:6780
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:2372669 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:6904
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:14300184 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:7280
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:13972495 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:8056
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:15545376 /prefetch:2
  2⤵
  PID:8120
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:3879978 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:7996
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:210052 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:4436

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6244f50,0x7fef6244f60,0x7fef6244f70
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1048,921982652310380914,3379874389329132545,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1060 /prefetch:2
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1048,921982652310380914,3379874389329132545,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1048,921982652310380914,3379874389329132545,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1680 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,921982652310380914,3379874389329132545,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1972 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,921982652310380914,3379874389329132545,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1048,921982652310380914,3379874389329132545,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2348 /prefetch:2
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,921982652310380914,3379874389329132545,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3352 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,921982652310380914,3379874389329132545,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:7672

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:968

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:988

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2212

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2276

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2360

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2380

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2584

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2600

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2616

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2632

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2696

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2712

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2748

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2756

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2812

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2848

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2320

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2944

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:996

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3168

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3232

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3296

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3364

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3448

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3460

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3536

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3556

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3576

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3612

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3704

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3788

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3800

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3992

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3304

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3456

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3780

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3268

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3616

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3212

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3732

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4332

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4488

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4496

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4580

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4664

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4716

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4880

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4892

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5064

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5080

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4288

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2260

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4400

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4912

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:5072

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:5156

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:5184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:5232

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5260

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5272

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5300

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5500

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5492

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5592

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5640

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5676

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5668

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5692

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5728

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5792

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:5872

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5880

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:5948
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:5976

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:6004

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6064

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6104

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:6116

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6124

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5280

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5252

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5736

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4012

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6156

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6172

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6180

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6288

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6364

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6396

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6464

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:6580

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:6636

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6716

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6724

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6744

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6820

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7004

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:7112

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:7144

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7152

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6260

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7016

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6196

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:6640

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6496

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6792

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6912

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:1864

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:7172

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7360

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:7404

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7412

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:7500

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7560

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:7584

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7908

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:8008

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:6328

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7496

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2264

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2868

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" shell32.dll,Options_RunDLL 1
1⤵
PID:3004

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:1696

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x540
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7600

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7952

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:8036

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:1736

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:1072

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3012

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2684

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3980

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6328

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3492

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2904

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3940

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3520

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2204

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2676

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:8376

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe"
1⤵
PID:8432

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8472

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8528

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:8604

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:8672

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8740

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
fff81e3f26cca2c78f2812eed281384b

SHA1
f04684bd7f9efe9922b0700f33dd4ce6f6901275

SHA256
14eacc265e6aa53652eb6ede422eacd3c9399ab49c42902ad13e5239da132537

SHA512
d826dbd6d082b41d00ec82447b3630362e6ab2a5c85b9dab00675de34861ce068bd5cc858216f69a26f1ab561fea166bb02c59e0d97d0c4a814600851c77e862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6899f959c8a477db5e549adaedc23f9e

SHA1
512ae459af70c472503ffec01be4babad4b57503

SHA256
601dbab768622313d788361f2a8d2fe4883f48b690aadf9bf162f0de516215f0

SHA512
110ce8acb7d3ec72fb19c2802b1f14fc6d1e41120f9b69ea98f9735a65641945e44824e73e44c52e15fc98d59559b3f0f65ee1a13ea084b48ba07f5c5c870698

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3f18d200fd8331b1303477a0a27ade1

SHA1
2711c1f11e9c7b387368220743cadc937680eaf4

SHA256
b5c72e14160a268d92d391d5b3cb3b803394f42dc0e703f07c1741022c832347

SHA512
70e55726af08351ef3a3059db1304f5e1454c2bd8567e62f2b9f479ffa0eb0a5997d42e022ae9f583c98775e8958b9a2a7014a22f127c269e09ece96d59f78fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
501f89f2779b8b8b010e6b1c3b80ee19

SHA1
b0d022dac91d05a988a7cb0f5f3740a52044d70a

SHA256
d0d3ff62e500a55067bb46e34d3560cb12248d883d08b084117c670b3fe1e307

SHA512
e115e8a2c98f5195e0b620330de0d0c0af0fa775c59c259f0dc2d9084ef31d409293918bb7dcd920c0b69816f5c1f9ba45ac86273084044e635cd43a07526d1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bb846ed2d760e923df784ea19203381

SHA1
aa43395b1910a83d8986ae72da622a62e03c651b

SHA256
4fc502496be15bd9b1c76d562b012cb84c30c1b363920b173a03818aeeff1aaa

SHA512
51a166a129b9ee83aefcf34b1697d526ada65bdb8d05a0c7ec140f8be84dbcbe2ccbb620988c8be10ba8b702ad9bd4be5a2ba2d15eba928c0f739f69ec5f7372

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd0bdac24eca8523ed3f369136011707

SHA1
da3c965e4fdc8e3a29b820a8aecdc82fe7fd25b9

SHA256
48fed1ea0a1e8bbc38395fea23ae8c8879ea92c8b46718666ec5cceec2f4ce5a

SHA512
26bba9366f2e77a8de298a7a9242c70e5c7dfd55ac7bc1d7571e74d72e232482dbc069144aed06797e7007bb5e800dd0ba93e8a8ecf5cd4e7ce2635335cacdf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
796cd4dd224c912b8b672c2ebeb178dc

SHA1
0a6029d051e881369aff04641ec6e7010419a8e3

SHA256
0af094371c52e7b482598a6ef911ee58bf7051ea977e369cd0e7fe42b939cc41

SHA512
f351fde5dd044c3b97bb7b5c379a0e8cd8180f55322f2efd85e3f6e675a3d52cbaea5776de406cdcbf0d52dff972fb2a0b1e6f30f35215c54f4e76c77f15b6dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6733adca8101ccfec0885c7b4b989d72

SHA1
36bbcb219cc2a5b67016e486ed1e6bd59d3de708

SHA256
a9d253a5f415e7fa24975438e8d17bd6e34d1bb7eaadffa3a3e81ad5fcf9442c

SHA512
b63433a9a930be83eafdaa10280ff5417be063d916b787c84e9411ac5e90579699afec24575697a8657e9079638d61160e830eaa72ab9a862d06276bc49d3e13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e002c9080e6e706dbc7c09c26fcd234

SHA1
0f5e6c70e0f314b16925850310dac1d58706a1d4

SHA256
d92b4d41beb4a5349ab595ede067194214716aa3a5613bd909f43ad0ced3cf60

SHA512
145eb88aa71237485bafb0c9da2e5c486322096cdd3e78b3d83de5b20057d758b99e20689c4dc8a3e5f3fdaf5d69cbabad55a00b6e55061b28f8de2b2528575c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a22de55f04097db4ce495bfbd8a7e102

SHA1
85525706f0d9365372bb0bc1ca0afdcbe10a5583

SHA256
3139c5d9e2ab141cd3f9530a6e007b21cdfc5c61d55645e57fad2cea1f988d24

SHA512
f0b719afd68c50d5e9ad3755b8341bbd3be507780ba29a435f857154880eb3e3e7e6f1c19ace903903c8fe4c0471ff2b71d87f35c89054ca038518820bd11803

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c83b94ad0d6e592b7fca36bd86af2398

SHA1
dd18b85ad7a9152ff4cb084306b4bab2eb4a677b

SHA256
b16e82ae5d511bea6283856474f0da845401f0c775c26bcdc701f40a96398146

SHA512
73934e33c540ec29e8a21610d39d0ef0742a6074a830d5706a53e11949733e828f2314cd6660fb79ca9e3132097833b5df6bfe998c84309aaf4ba6f877c0c36c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce46d9f62b6cea354eca4af919372e1e

SHA1
c43bc3d2a77f0dcd155ecca2febc272690f38f53

SHA256
8707d5b57178260455d67bace5a1a976168588324520be1796197a057af15cdd

SHA512
89e7af7f7bbd39515ca3351ef91e3c3734160d71c967cbfceb87d06282a80696a3034e8fa7d4da6dcbe2a15c33763355033ad7674095cb49faf8e4940f0d907c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b15c9a6eeddd61de96053d9d095df59

SHA1
32146b37fa99396063f747676c0847b11aeb3318

SHA256
ffc050ac80503644fdf2ed18c4848dab348b9eb346786000369663b46ec6a38c

SHA512
70416f1dc9f15f78e638adba4c10b74f35d4027f0332f7bdbbf040b5675be06c3b2124c3c05d6de2a241d331ccd3136686a6656bfb9122a22aee19c7750f12e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f39d4b726ef2eb3365e46db7c996f04

SHA1
8ad0b01e1fa947dfaeb29fa73c159c2f5ebcd282

SHA256
48f68051d7be419b3ed81b25aa196eabf7a6db3122e036e193ff712b10704b1b

SHA512
8f512a2300bd1e5c61ded349e9b03366ae7f4eafb5908256a73bde268463fb056fce793fd53a7d814a02f2442aac7a13d8a34d7f2601ddfec7811c9844d6f124

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
144ff97a09f944ad776c9071caef4810

SHA1
b77a504d385744ca2bb803749c9c6e9cc645622b

SHA256
3a9333c15f82dcf091c089c1f057c5cb5f58a4b51489f7ae7f7f9756130a14a5

SHA512
3d1928573b3baf88b4b6258596e5fe21366c719bca48a80466f3db54c88873c3137f6e6fdfad5c45d3cf9724484f9522807908c13ae25c18245e647250b9a3c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab0037bfc09d344e087318573b7f522a

SHA1
1bc4645a0274f364d3eede904c0a9ffae4ab2167

SHA256
68198b441f12fba5c13c1adb9bea24250a3d17e23d1b5cb18593501516d80e49

SHA512
90410b1a2ac7e39da1011dfc29d3c967d45882873276348bc2075fb5536d6ebc8e39d310ccf62bb0d698fedfa8c2cbc0f9461ddcf6073809ec7b4e28d1e3ec1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c91775e37962b4ea26a0b2114d093e89

SHA1
84ef201d828ee4cd6c028f62ede40e3641efe370

SHA256
33d4a79a99722ffdcccd75eba52750a0a63667dfee44a6efa4067b32e95f4812

SHA512
51e5f7662bf9ce745bab7a002bf13d17f246d7306bb059fcefb898e5d3acc781ff64557267385d01c07a0e56fec86a5bff92df372a47c0cc2460386cbac16a2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f67099015dfa48b6b9f1c4d0c214e5be

SHA1
cec57d67e67f8cc159d63ec000590910e3442cd3

SHA256
868a0e6d96a903ecf1ce5cf096b1c08217890e9adf8d552f5e9f9fccd4677d60

SHA512
debd9094a126ac37813933298b73c5fbde6a0412d47264c648944665ac1c4bf449b64f98b90a18b7c54da9680641ab26334f0ee788c678e62f6749d10574430e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f67099015dfa48b6b9f1c4d0c214e5be

SHA1
cec57d67e67f8cc159d63ec000590910e3442cd3

SHA256
868a0e6d96a903ecf1ce5cf096b1c08217890e9adf8d552f5e9f9fccd4677d60

SHA512
debd9094a126ac37813933298b73c5fbde6a0412d47264c648944665ac1c4bf449b64f98b90a18b7c54da9680641ab26334f0ee788c678e62f6749d10574430e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91dc2c818e6e2cccdb379a66c82129f0

SHA1
44d3436cf75410b6433188c9d0e1c15cd7c4fb28

SHA256
8a8dbd060d677cc9bb5f495ea22b40bdbeb66c8bee53a40c3094ff4812dd5067

SHA512
113ef07eb89e54f8c2cf5bde867b432d32b15549c9999b3f696ab2c348e16d37fc3bd44ee6999740012ed0274f6da874c63bec5e5734e65e529313c76816b87b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9212d5f5bc585b6f393ffd70d6abc074

SHA1
e29109d3ddb87d9df517e7069c1e7250f49d31f0

SHA256
85e104132861a0be9328d2e1a6dfe824b50e34e7205c97b90855fa437016fe45

SHA512
8b911ea79fa1ab12a4e4f15cc99282dbd0e2a3ccbd2fee61fa69c80c588aff6e6e474a6f4e261f54c1adac0c7e1edb199ae15222ab359ce3bcdc1102ac2e7c80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ce5d76f3b56422ae009532780191692

SHA1
4b67b1b4c2b4d0c9c03af33e5dbf37cb3a883021

SHA256
776d0b57271ec3693ece2ec7f2fe14d5f71ceeadb9c452872c59a6e86d891024

SHA512
5b43e462b037157905e03575a2148fe675384ba01d603c419fb6c2c1ca801e9307a663cf67a0a831467ebf126dc600c318cbe6381375106728b15399634b0ef3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb569bc7a2290436ce930271f7eb8d0a

SHA1
064861d13e7163c9241b32c5494fabedb90d16e1

SHA256
2c35657f683e3c3f5846ab418f7873b6f55801ca0359041fb089b89a16672a7b

SHA512
f5b526fc582ee9a91357ab80d64e4c9961301557af584c3d787287c1bdd07f21e05ef8b2b00d22439670ea4cadb4a4959b2cabacd7ebf1329fd12e54d27874a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39b6b47895dd4a4536a3e52d2d578ce0

SHA1
6a7c28a877138420e825fb54239c877538afad39

SHA256
1fd35d2dcdefabee6613f3077f3763e60fff946bbfd0d4ecbab645923b492d9c

SHA512
cf56f306081169d8679f534a07bd73174affb8245f21c4fbb21bd7ef9154e2c7a6e2424f75439e24b6a2f0e73881cae6d2dd77de5242bcc689cca2fb41158f32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad3ec696c3728b68ec34117e9dac01b8

SHA1
e4ca44bdd070ad2702c07b3626864a308d2eebf1

SHA256
5ba1321ef3e62a4e228860fbe07bfab3f9d041e4fa3d082908f7cabda9ac86a3

SHA512
a93e05849363d5a44f4eec5a5dde47e8c1a6c19c65571085eb0916ed068aaf2cf3eea924fd3d9f2dc6fcd83e1a18a891fc8e390f011f9ccc1b2f319d525ae958

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b70e77eaa8e84ece8dc44dc767546f4

SHA1
5fab3d2997d2526f9a2a200f260c1365657ae8a9

SHA256
24ebbc3ca686836422bf8244c019865aa592811b83ab33f187b23b8464730851

SHA512
5ea3e46f5a0b3944381be84f6ef68b5c183f02b6c813ae6f91e8236ea5b25b3ab9d20c608a6cd975f6ffb54192b94c88bb93e9fbc2880778a7ce471852ac4911

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f49ff1afad3f47abae51c6e68a1ae083

SHA1
1b49f1c5bdba3e6fa3dd612f07c6e5d9511c6ad1

SHA256
4008d742d4a6927cf497ae499ab2672e5066c9c7fd41c35293abe19a63f7fba2

SHA512
14a97487554bf087f9fe53232c2bf287b336f96968dd1d7e351712a8e6d62b8a60222b01c8dc3259c784390396f3cf4244aa64354dc8328b606cd2127dea119b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c8b14e036bb29116a8f5886c311b08d

SHA1
98e62e9e67940debf0520c51fc53ee6de090ac5a

SHA256
066b0b25e519fb5bec95fbdd233e86ce304700477c44e54cccf96bd7cbb67459

SHA512
978045903053765b87cac2ec4a8ca303ed42bfc451327e6e602e493fabc92dfcbb1ab510bcaada89ad3b06451af12b1351a364b1d78dabe179fb54934a1eed52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
561536fd37666831c29e595c388e602c

SHA1
0155856213f986febcad8e06a64a78642e4994e2

SHA256
2a845779dccd9f598d7b052e133a39d0af40b5f58d71c41a871052a1435d2d00

SHA512
93137d9c78754b90a0e598f1c8889a4195d609421095b3362af13f1db21df037610f139ecb1c1f4cc7b0f780ac0930a512c72185d7fe727df906a07eb7d11219

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7aad4845534b4de0503d5c729aad4562

SHA1
de522642aafa0db8dc53a64cd831c891876ee5f8

SHA256
1f9198468dc4e083a34cdfe68c03da7939bfa18a7e2bce944860a03396cfc952

SHA512
f5c4d41c3a3371fec2f92348c82c94a73212dd294a768fc5b09d292236c80c754ad4b11f3d42dbf528e07708f7a57fbd314a7f81daf8d118270b7f58e09c98e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbfa3f5c0666d6a32ce0792c347bad32

SHA1
956d887a04d1c0a66e1a011b754a25d4c22f3fc6

SHA256
5743782a2a0358da7f853700865851576b4a287cc5055ab03f1649e161f80441

SHA512
21327fe79a8dca90bc79921421343bc1abcf2a8b1c085e5b5094c4031dca19766f02aa97fa621a9f348c06484d47ba5c72c0f9951cebd4ce15db8ac7c1667591

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ba5de7b716c83d5abb010a835ff6243

SHA1
00400d3a5f113476c47b4b9a0f2241e9a4fb0916

SHA256
9f413b833d713d62c7d4a80348695502d51ce4a74533fc4a109d215768609e73

SHA512
5ab04b9c5968365d65fedb67bf9dd83e5e3151e4298e5707e98636b4c62b1636bac620a2566f1156366b453709ab7b0e2413ff046d65d157376cc3a229fda716

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc9965034cbcd30cdd921520d6f57e70

SHA1
556920301568207a2968fe9ecf631d79b85d66fa

SHA256
7c2a5de2dcf216248cf2c03e91cf8e86450b7923e82bc502e6d37bf9e6370fae

SHA512
d102e3547e05751ee7141130caeb89c41f7f7fd1d4986b4a2f4dadb8c711892471e2b8dbb90474680335e0904c2f871b4201857b85282ce7ace1b00ce96127b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fb523cb27e3b8a2a1643445ff76db6c

SHA1
24b20b904179258ee7426ef0771c62160783c79b

SHA256
13e8c86d0a66177ed24dedc9d1dbf77fc3c6247d2161dfa71eca71d6aca5775b

SHA512
a2542bf4ebc075656343e00efd6ee0d98c2cf25a60f9e63bfe0e6e0b1ef91ee945a7cb5bae3fe0230e71d430c5b94107e7ea9ee08f83edbc3dde406b33ebb182

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
560e4321f70c5d649f3bb71c8efa9235

SHA1
a9cfd15ea25389d5300f4e7d7f58197bc22b01b1

SHA256
588fb2245ad9f5b963ed26db8eb33455cb74e4f82b5d8ba680caa97634bc628f

SHA512
834d4dbfb7eec71c525c3acfa0c824fc8f559b12b07492c7d9a8f95bc6c2f9cf68f6d2e1e42cb7a6942cf887eeecce140e5ce990699f1fcb155eced40218fd7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
185c763a90a47afa6befb0f638497fa8

SHA1
05e946741d6999af004272bfa265aa54e8dc416d

SHA256
e62e340a8d2bed8b9500ed6b022ff2c2571b1bbc7b215061860e10e61e2e2421

SHA512
015243129e7d10fb314833cc2600e1c2233318ea5ccadd7e45aeca347f1ec9a4d38f227561e7748d490d62dcd2f9aef3dfb702c474802a5a313de07a54ae19b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63aeda715ec756776419448549e9bed6

SHA1
29e35bf191d95605bcc1bcf0a6f88fbc5a78deb8

SHA256
588c736f735521fdfbbbd7602e9a071c8432856c3de73df82a52bf9c87de36e7

SHA512
c315bf506cce273a8e2f4e5d09123e5efd0a598d57a48869b0394494bfccf744af4c8e5f325eba60cc06488abb79cef2aac7c94b700003b3406bfb8d6c8a4a99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47e60afb422be14602945b9825c0caa8

SHA1
f83f9caa12209ba611984f68b23c0c2f4d7ce27e

SHA256
b40e4a03a0ce093c588e105c1f9d6110d6023f462eab969d9f4e9fb61b041eb1

SHA512
65d837df1670f4f6bcd6ed7fa082aff6ccb6c31f8778a5f4704c1296a06ef8333b5690de8fb9fc7d98505cf2cb063d3e93ebf2ad45e4c2cd5a95d39c799c7cf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0df49f9ca7b532da9fd0a180cd459d8

SHA1
ec7e568e8816ffdeeed511e830d6f0357837a2e9

SHA256
78187db3e4c0925393043f0ca292b8ad96d423ca69b461136798fc20b8bb3859

SHA512
4cfc57de7558c13926a083cfb5eb68634687f02381287767983505c297f19cddb09187ee76d3325a45999e1e81a6da50c818513079021ee69b54634f19e2c915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
397662f2aba21cd7624fc6001802e661

SHA1
aa851930385c6a80c0a301a73343bfb9ac4ed780

SHA256
edc440f75d274b3db5fbdfad26b4ec198198da04816dbe4a4a8b74be7012e4bb

SHA512
984cecee2f56d521716d515851ba5a6731eb5c627374cd8d2120562542777890f2978560a39473706b006307d4ca3207245c5dd8fbc3c968beaff29808a125a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5A5C1471-4987-11ED-BBEF-F2255ECFD43B}.dat

Filesize
3KB

MD5
b636f01430db5bc0b162fcbf88f55459

SHA1
1f3fb36028242242fe99918ee24c4c7a69c4c886

SHA256
25c3695e3ba6cdf348ca11e4a527b769993e4245af173afad603f582ffedae99

SHA512
3d36f93a975ec4b55755e1c6faee2516ccc5c17af5b33d663f9fab3a8685cf043bf34323c3079d0552890d23dab5ae6ab6c546db50de435a01e206d68fc919b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5A6B7DC1-4987-11ED-BBEF-F2255ECFD43B}.dat

Filesize
5KB

MD5
403ea59fbd98cd04266806b06f636a52

SHA1
2a17f13be507d2a276f79c23b677674715d4b133

SHA256
3276be2ca5fb009bd6fef124b9887de62657de21bc8968436e1bc287af55d64f

SHA512
effa36bfd8602af6987e8866462e8ca6081374f895740f2c43cd04ec9827ea6bcf846743894fb7062dbb8719c5886e91d16ab71c8934bbee0949c8a412fbedd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
9KB

MD5
e3361dbac8831ccf790d716f78425b3f

SHA1
e619cf0ea5df0953c851b8d50f7caf5a610c8146

SHA256
87996bfa12419e530f4cb408d24009abfbd7f4dc1ea6571f7121be8a75948755

SHA512
c86d7a7a49df5fe7516c1b7464c361f69b404b6ef647dfbcd45cfaaae5ed0c8f3359de9242e1ae0f1ce5c886856efea6894251a534ee6177a6b1e8a1c93327a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
13KB

MD5
d455ef4bdf7a1374598da922b33992f0

SHA1
259369ef60e4d877dfa89b6a787843bca699807b

SHA256
bc9a24e4e7bb627db81e189d88354044bf4809d2a260b534721db791ae2af93b

SHA512
4a749d5e1e8282eaf101351329f9a2f8109e5896ba0e734ad69a6cd74a52d75b87f2ab06ec56d58a9450b3e162062681ba6105bdd06080ed76b241afca672e80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\64FGM0L9.txt

Filesize
608B

MD5
57a553bfc253ce5ee5649326185363cb

SHA1
91b92ee7b56d0c7324360c3a97ee54e80bd76037

SHA256
aaaee0ac164dbb3eb017268c11b1b7ccfbbc3786a909c29c706e697e06e8c18f

SHA512
41ed6a16a5a5f1b39e3d6791d33aa5246b8ee366fcca41b937527513529d6f0d7d3c2d49523218216ef338afc49f569cfaabed11e2179666edf4c14b3d545f24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9D4Z0C1H.txt

Filesize
567B

MD5
e03ba6cdb89c901db4987491b38cc210

SHA1
82b5419fb48bbd4bea1e7f8c580fe1847ea4e425

SHA256
7c08631fdf3cc827e2dd266021db704d1cd5de3d08a596e4ba78026f2ed9419b

SHA512
7677b2db5c62493fa65f4b1b4704d918c943d69adf6d305669a06909b478d4cd678340a7a38d01f0c43c8f990b3153419cab00f6f06bc3af035ab74ec38e1232

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NM3BS4WQ.txt

Filesize
411B

MD5
d8f015dbb9ec2ef064fe8ef8e427f772

SHA1
025e2eb176d130491eae8f7fce95ed86a2d090c4

SHA256
d452a89d0f6023289e769c3819a5e580a53c9eb9474645bc8a4f788cd436b634

SHA512
be510895366479fa6083b784b22c2f4554b7d025ff709656cd69c3573466ac07d6f98631f09e048455d4b8bd8c8cf150e0bc0a77373f924f7f172e232ff6e250

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P0C0VRZW.txt

Filesize
422B

MD5
262ab2e681ab17bf5adef2c39547e1a0

SHA1
daa513a1acd5ffca6ba437780d31b9b6c695b0fb

SHA256
8cedecb8efac629bc22b5e740b84cfea2aadfd190be9d0c179ce5d889b4adaf2

SHA512
95b8d7d2da88513025c408711fa1c1755a66693ab29924736ec78b907d2bfff7aeab7fa24a378998da534fce6f534d47ff036134a5ff6cfaf479a6c72bf7e26e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PMJHZD0G.txt

Filesize
422B

MD5
60fd2aa20909fa9cf611e841a86b2373

SHA1
e349fced75cb414f5086920a22f5435780a0f502

SHA256
2f24da754e6303fbd64706b37534f3da2f11a6b42482d81a6b21b58c778c41f8

SHA512
60870df7152c0f92c404bc78d468027aff9d02e8d2540414cee1f6201349d474d69ece049583e951fed661589cf684f3028e75fabded0252e058079cab9b06f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RV29P51K.txt

Filesize
422B

MD5
f544d1c86bc9acae7ab1527e2a8fe01b

SHA1
8253059c5adaacaa942c020c4f74c0c26c1632fe

SHA256
37b19818046beae1d26084c444fa07c954e15801517038a067906d8e895908d5

SHA512
4fa8697d3adc5c92ce180f9c71ffe521fbc4b5832ae475f9e6819894e26559f9fe203beb11a32cfcc15ff7b31043074f647667564063b0c39acf4906e5a2b237

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
54B

MD5
67d9e38acc5780ceeae79b75263f0357

SHA1
07bdec0b1c4f3a47e310ec878cc77d083e7c6a8c

SHA256
9533ab02212ce6866e40b35f48cd884a436310efc324fe9a83f06bbfa91f1f8c

SHA512
6188878133e78b98473eede992b8b9d8b29a77c90660a1e1490337c7fc36ee5afd1b7e84e8df009aec91aa67b3b7260bd6bc723e40f5d3f6efa10e3135cf3daa

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc

Filesize
93KB

MD5
478a4a09f4f74e97335cd4d5e9da7ab5

SHA1
3c4f1dc52a293f079095d0b0370428ec8e8f9315

SHA256
884b59950669842f3c45e6da3480cd9a553538b951fb155b435b48ff38683974

SHA512
e96719663cd264132a8e1ea8c3f8a148c778a0c68caa2468ba47629393605b197dd9e00efad91f389de9fcc77b04981a0cf87f785f3c645cdc9e4ebd98060ca1

Download Submit
memory/688-54-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

Filesize
8KB

Download
memory/968-55-0x0000000072041000-0x0000000072043000-memory.dmp

Filesize
8KB

Download
memory/968-59-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/968-60-0x000000007302D000-0x0000000073038000-memory.dmp

Filesize
44KB

Download
memory/968-62-0x0000000069761000-0x0000000069764000-memory.dmp

Filesize
12KB

Download
memory/968-104-0x000000007302D000-0x0000000073038000-memory.dmp

Filesize
44KB

Download
memory/1748-56-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download