52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56

max time kernel
219s
max time network
284s
platform
windows7_x64
resource
win7-20220812-de
resource tags

arch:x64arch:x86image:win7-20220812-delocale:de-deos:windows7-x64systemwindows
submitted
18/10/2022, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fucker script.exe
Size

104KB
MD5

db0655efbe0dbdef1df06207f5cb5b5b
SHA1

a8d48d5c0042ce359178d018c0873e8a7c2f27e8
SHA256

52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56
SHA512

5adc8463c3e148a66f8afdeefc31f2b3ffeb12b7641584d1d24306b0898da60a8b9b948bb4f9b7d693185f2daa9bd9437b3b84cebc0eabfa84dfcef6938e1704
SSDEEP

1536:m5iT3FccnYWkyjWpOku3yUyJCbyVAvy7+fRo:3LOcxkyjW3wvHq

Score

6^/10

collection

Malware Config

Signatures

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6660	960	WerFault.exe	28
8460	2272	WerFault.exe	237

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\LinksType = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup\margin_bottom = "0.750000"	helppane.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8724921-4EE8-11ED-AC5E-E60EF78AFC87} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6400000064000000ea040000c9020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Docked = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0E3EDD1-4EE8-11ED-AC5E-E60EF78AFC87} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup\Shrink_To_Fit = "yes"	helppane.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000b277af5ccc606602d5292d824700dc4edef7701c96389fe6832cf470b65ac58c000000000e8000000002000020000000b53bfb31e855445be8b52409ec8b2e1fee77458234932842b39aaf9faa2c247d20000000204b26cf7b0dfdee91df341ed7fc94b957b6ad878b6ad1a288fbdaf449024dc8400000002eb17b8939963107978518efc5453ee60424f0769d0b8ed1cd4b176c8f68ac672f97855742ae7778f7f40a34b4038d9013ded7a78588827e9d921b7c27542f0d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CADF3B81-4EE8-11ED-AC5E-E60EF78AFC87} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60c71d0cf6e2d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "yes"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "270"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\de-DE = "de-DE.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "269"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "269"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0300000000000000010000000400000002000000ffffffff	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	helppane.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0400000003000000020000000000000001000000ffffffff	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\NodeSlot = "5"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\MRUListEx = ffffffff	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000100000002000000ffffffff	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000000000000100000002000000ffffffff	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\1\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\MRUListEx = 00000000ffffffff	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 64 IoCs

pid	Process
712	OUTLOOK.EXE
1708	vlc.exe
2736	vlc.exe
2796	vlc.exe
2948	vlc.exe
3048	vlc.exe
3408	vlc.exe
3816	vlc.exe
3500	vlc.exe
1188	vlc.exe
4428	vlc.exe
4564	vlc.exe
4276	vlc.exe
4268	vlc.exe
4684	vlc.exe
1596	vlc.exe
1968	vlc.exe
5160	vlc.exe
5536	vlc.exe
5544	vlc.exe
6028	vlc.exe
5124	vlc.exe
4404	vlc.exe
5360	vlc.exe
5832	vlc.exe
6072	vlc.exe
6440	vlc.exe
6836	vlc.exe
7092	vlc.exe
5444	vlc.exe
6396	vlc.exe
6904	vlc.exe
4816	vlc.exe
7556	vlc.exe
7632	vlc.exe
7960	vlc.exe
8152	vlc.exe
8180	vlc.exe
3128	vlc.exe
7436	vlc.exe
6536	vlc.exe
6244	vlc.exe
4208	vlc.exe
6276	vlc.exe
7864	vlc.exe
8964	vlc.exe
8224	vlc.exe
4032	vlc.exe
4048	vlc.exe
8328	vlc.exe
8812	vlc.exe
8780	vlc.exe
3484	vlc.exe
4692	vlc.exe
9316	vlc.exe
9452	vlc.exe
9804	vlc.exe
9888	vlc.exe
9948	vlc.exe
10064	vlc.exe
10196	vlc.exe
9708	vlc.exe
9992	vlc.exe
6016	vlc.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1576	chrome.exe
280	chrome.exe
280	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
280	chrome.exe
280	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 31 IoCs

pid	Process
1708	vlc.exe
2736	vlc.exe
2796	vlc.exe
2948	vlc.exe
3048	vlc.exe
3408	vlc.exe
3816	vlc.exe
3500	vlc.exe
1188	vlc.exe
4428	vlc.exe
4564	vlc.exe
4276	vlc.exe
4268	vlc.exe
4684	vlc.exe
1596	vlc.exe
1968	vlc.exe
5160	vlc.exe
5544	vlc.exe
5536	vlc.exe
6028	vlc.exe
5124	vlc.exe
4404	vlc.exe
5360	vlc.exe
5832	vlc.exe
6072	vlc.exe
960	iexplore.exe
6440	vlc.exe
7632	vlc.exe
7392	iexplore.exe
10064	vlc.exe
7228	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	6728	helppane.exe
Token: SeTakeOwnershipPrivilege	6728	helppane.exe
Token: SeTakeOwnershipPrivilege	6728	helppane.exe
Token: SeTakeOwnershipPrivilege	6728	helppane.exe
Token: 33	8256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	8256	AUDIODG.EXE
Token: 33	8256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	8256	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
960	iexplore.exe
1708	vlc.exe
1708	vlc.exe
2736	vlc.exe
2796	vlc.exe
2948	vlc.exe
2736	vlc.exe
2796	vlc.exe
2948	vlc.exe
3048	vlc.exe
3048	vlc.exe
2016	iexplore.exe
1264	iexplore.exe
1728	iexplore.exe
1708	vlc.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
2796	vlc.exe
2736	vlc.exe
2948	vlc.exe
3048	vlc.exe
3408	vlc.exe
3408	vlc.exe
960	iexplore.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
1708	vlc.exe
1708	vlc.exe
2736	vlc.exe
2796	vlc.exe
2948	vlc.exe
2736	vlc.exe
2796	vlc.exe
2948	vlc.exe
3048	vlc.exe
3048	vlc.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
280	chrome.exe
3408	vlc.exe
3408	vlc.exe
3816	vlc.exe
3816	vlc.exe
3500	vlc.exe
3500	vlc.exe
1188	vlc.exe
1188	vlc.exe
4428	vlc.exe
4428	vlc.exe
4564	vlc.exe
4564	vlc.exe
4276	vlc.exe
4276	vlc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
960	iexplore.exe
960	iexplore.exe
2016	iexplore.exe
2016	iexplore.exe
1708	vlc.exe
1264	iexplore.exe
1264	iexplore.exe
1728	iexplore.exe
1728	iexplore.exe
712	OUTLOOK.EXE
1560	IEXPLORE.EXE
1560	IEXPLORE.EXE
712	OUTLOOK.EXE
712	OUTLOOK.EXE
712	OUTLOOK.EXE
2736	vlc.exe
2796	vlc.exe
2948	vlc.exe
3048	vlc.exe
960	iexplore.exe
960	iexplore.exe
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
960	iexplore.exe
960	iexplore.exe
2472	IEXPLORE.EXE
2472	IEXPLORE.EXE
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE
3408	vlc.exe
960	iexplore.exe
960	iexplore.exe
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
1560	IEXPLORE.EXE
1560	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3816	vlc.exe
3500	vlc.exe
1188	vlc.exe
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
4428	vlc.exe
4564	vlc.exe
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
960	iexplore.exe
960	iexplore.exe
960	iexplore.exe
960	iexplore.exe
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
960	iexplore.exe
960	iexplore.exe
4972	IEXPLORE.EXE
4972	IEXPLORE.EXE
4972	IEXPLORE.EXE
4972	IEXPLORE.EXE
4276	vlc.exe
4268	vlc.exe
4684	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1560	960	iexplore.exe	33
PID 960 wrote to memory of 1560	960	iexplore.exe	33
PID 960 wrote to memory of 1560	960	iexplore.exe	33
PID 960 wrote to memory of 1560	960	iexplore.exe	33
PID 280 wrote to memory of 1348	280	chrome.exe	34
PID 280 wrote to memory of 1348	280	chrome.exe	34
PID 280 wrote to memory of 1348	280	chrome.exe	34
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 480	280	chrome.exe	42
PID 280 wrote to memory of 1576	280	chrome.exe	43
PID 280 wrote to memory of 1576	280	chrome.exe	43
PID 280 wrote to memory of 1576	280	chrome.exe	43
PID 280 wrote to memory of 1852	280	chrome.exe	44
PID 280 wrote to memory of 1852	280	chrome.exe	44
PID 280 wrote to memory of 1852	280	chrome.exe	44
PID 280 wrote to memory of 1852	280	chrome.exe	44
PID 280 wrote to memory of 1852	280	chrome.exe	44
PID 280 wrote to memory of 1852	280	chrome.exe	44
PID 280 wrote to memory of 1852	280	chrome.exe	44
PID 280 wrote to memory of 1852	280	chrome.exe	44
PID 280 wrote to memory of 1852	280	chrome.exe	44
PID 280 wrote to memory of 1852	280	chrome.exe	44
PID 280 wrote to memory of 1852	280	chrome.exe	44
PID 280 wrote to memory of 1852	280	chrome.exe	44
PID 280 wrote to memory of 1852	280	chrome.exe	44

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Users\Admin\AppData\Local\Temp\fucker script.exe
"C:\Users\Admin\AppData\Local\Temp\fucker script.exe"
1⤵
PID:1760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:275458 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1560
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:603141 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2884
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:865286 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3736
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:1192972 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4972
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:6829067 /prefetch:2
  2⤵
  PID:5232
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:14496770 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:6512
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 960 -s 3644
  2⤵
  - Program crash
  PID:6660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2016
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2016 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2200
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2016 CREDAT:4142131 /prefetch:2
  2⤵
  PID:7372
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2016 CREDAT:3945482 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:1292

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5f24f50,0x7fef5f24f60,0x7fef5f24f70
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1088 /prefetch:2
  2⤵
  PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1684 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2448 /prefetch:2
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2596 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3660 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4300 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4120 /prefetch:8
  2⤵
  PID:5876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4416 /prefetch:8
  2⤵
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4176 /prefetch:8
  2⤵
  PID:7924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4180 /prefetch:8
  2⤵
  PID:7940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4252 /prefetch:8
  2⤵
  PID:5296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4440 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4284 /prefetch:8
  2⤵
  PID:8276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,13709850317995842056,2893661658154495086,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2780

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:1236

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1264
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2472

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:1976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1728
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2508

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:712

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1708

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:1740

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2516

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2796

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2832

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2896

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2932

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2948

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2984

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2992

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2960

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3096

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3496

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3680

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:3768

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3808

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3824

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3896

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3980

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:1816

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3656

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3696

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4000

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3504

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1188

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4164

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:4208
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:4244

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:4220

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4428

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4420

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4456

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4564

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4704

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4764

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4952

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5016

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4188

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4276

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4268

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:276

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:4804

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:4916

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4900

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:5024
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:5028

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:4784

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3228

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4684

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2288

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4948

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4344

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:1596

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2372

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:1968

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5140

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:5176

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:5360

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:5384

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5480

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5500

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5512

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5536

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5544

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:5728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:5744
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5744 CREDAT:275457 /prefetch:2
  2⤵
  PID:5972

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:5780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5f24f50,0x7fef5f24f60,0x7fef5f24f70
  2⤵
  PID:5816

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:5796
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:5884

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:5804

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6028

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6088

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6124

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5124

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4916

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4404

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4964

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2336

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5360

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5832

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6072

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:5444

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:6168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:6196

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6224

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6252

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6300

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6316

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6340

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6376

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6404

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:6440

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:6496

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:6564

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6592

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:6616
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:6640

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6672

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6696

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:6720

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:6760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:6776

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6808

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:6836

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6912

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6936

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6980

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:7008

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7072

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:7092

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7100

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7132

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2940

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:5444

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:6396

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:6608
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6608 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7228

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6728

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6848

C:\Windows\system32\SndVol.exe
SndVol.exe -f 4129873 7344
1⤵
PID:6788

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:4840
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:6988

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7140

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7144

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:7068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:6572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5f24f50,0x7fef5f24f60,0x7fef5f24f70
  2⤵
  PID:6652

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:6904

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:7000

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6928

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:6220
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6220 CREDAT:275457 /prefetch:2
  2⤵
  PID:4844

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:7016

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:4816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
PID:7392
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7392 CREDAT:275457 /prefetch:2
  2⤵
  PID:5472
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7392 CREDAT:2438161 /prefetch:2
  2⤵
  - Modifies registry class
  PID:8868
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:7848

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:7556

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7584

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:7632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:7664
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7664 CREDAT:275457 /prefetch:2
  2⤵
  PID:7776

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7740

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:7784

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:7960

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:8152

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8160

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:8180

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:2032
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
  2⤵
  PID:5684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:5280
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5280 CREDAT:275457 /prefetch:2
  2⤵
  PID:2980

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:3128

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:3584
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3584 CREDAT:275457 /prefetch:2
  2⤵
  PID:3032

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:7436

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies registry class
PID:2272
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:4936
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2272 -s 1772
  2⤵
  - Program crash
  PID:8460

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6348

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:6536

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2652

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:6244

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5324

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:4208

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4144

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:6276

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:6548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4724

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5136

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5292

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3936

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:7864

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7828

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2096

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x714
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8256

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8468

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8492

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8484

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8552

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8648

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8680

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8700

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8756

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8804

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8840

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:8964

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:9092

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:9164

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:9180

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:4032

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:8224

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:4048

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:8328

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8476

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8560

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8424

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8508

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:8780

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:8812

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8336

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5840

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6152

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:3484

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8096

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8536

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:472

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8912

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8596

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5864

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8524

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:4692

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:9264

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:9288

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:9316

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:9396

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:9432

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:9440

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:9452

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:9552

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:9580

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:9628

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:9672

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:9700

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:9720

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:9768

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:9784

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:9804

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:9812

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:9888

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:9948

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:10032

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:10052

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:10064

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:10120

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:10196

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:7148

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:9448

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2532

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:9232

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4340

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:9624

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7172

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:1184

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:9708

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:9716

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:7360

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:9992

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:10084

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:6016

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8076

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6524

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
PID:10192

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4512

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:9508

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:9460

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
PID:7784

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8016

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6552

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5076

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:7796

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies registry class
PID:10708

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
PID:10876

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:10884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:10960

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:11004

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:11040

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
PID:11064

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:11220

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
PID:11240

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:8588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:8252

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3884

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6944

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
PID:8360

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:11100

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:11032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:2892
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2892 CREDAT:275457 /prefetch:2
  2⤵
  PID:11428

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:8600
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8600 CREDAT:275457 /prefetch:2
  2⤵
  PID:11444

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
PID:3756

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:8648

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:10868

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:11144
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:11144 CREDAT:275457 /prefetch:2
  2⤵
  PID:11548

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:7728

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2496

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:10952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6f979b32752118710ae1c2c62a16533

SHA1
9106f8b4a9f45d21c949d0e4f64067578d3d978a

SHA256
70febf329daf10ec8c3ac07f53cb5895bd1e4ae0f685fd9124123b0d002e683e

SHA512
8963a7e0b6b0623970e313dcfc7fbd98ba9ae7e45d13c3dc6f0655c5bacf2e45f6e828284458e462f4638cd163b490ddd943ccd6ca141d7e1c8f197ee839d5bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3ed71bf9cdc16e9bee886d5bcb23b09

SHA1
5914b129cc456dc0a04644cd497cbcfdd536cae2

SHA256
dd6634f70bae24de34637b58b6432b973389bc49f73158fc0cb330219ac39a1c

SHA512
090d5c6dabcd6979a49817a18d2cfa4879e913d4586d80b0d75f38a0729bb3fba9e0f3068494c1253a4b62910c7e8ccdec294b59576708f199a5c47bb4a39bc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ca0c469b8152e7e371cf08d73b026433

SHA1
07a87b72da129c4af371a735398bd1aefdb0e74a

SHA256
49bf5be3f0eae3a1851a7ac6e98c2aacfd41d04b0bee3f34ea75d3fe76ac4996

SHA512
2a051c82401a439602f6400b7af49353c869f464815dbefe068c3ad6249f7875e42d4c486dfdc22e60d54f711afc339491bb74922bba551df98e9ec0780dbafa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ca0c469b8152e7e371cf08d73b026433

SHA1
07a87b72da129c4af371a735398bd1aefdb0e74a

SHA256
49bf5be3f0eae3a1851a7ac6e98c2aacfd41d04b0bee3f34ea75d3fe76ac4996

SHA512
2a051c82401a439602f6400b7af49353c869f464815dbefe068c3ad6249f7875e42d4c486dfdc22e60d54f711afc339491bb74922bba551df98e9ec0780dbafa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ca0c469b8152e7e371cf08d73b026433

SHA1
07a87b72da129c4af371a735398bd1aefdb0e74a

SHA256
49bf5be3f0eae3a1851a7ac6e98c2aacfd41d04b0bee3f34ea75d3fe76ac4996

SHA512
2a051c82401a439602f6400b7af49353c869f464815dbefe068c3ad6249f7875e42d4c486dfdc22e60d54f711afc339491bb74922bba551df98e9ec0780dbafa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ca0c469b8152e7e371cf08d73b026433

SHA1
07a87b72da129c4af371a735398bd1aefdb0e74a

SHA256
49bf5be3f0eae3a1851a7ac6e98c2aacfd41d04b0bee3f34ea75d3fe76ac4996

SHA512
2a051c82401a439602f6400b7af49353c869f464815dbefe068c3ad6249f7875e42d4c486dfdc22e60d54f711afc339491bb74922bba551df98e9ec0780dbafa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CACC3081-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
11KB

MD5
2ba46a1625915e78734c76c422afee01

SHA1
491b617be1a744e7ca7731be0a468c6154b54d65

SHA256
3fd0c5394e92baf8c53d26ca9db1a3ae0beef92f7fdf652a9d56d45b2f4ed6c4

SHA512
76b71cbc40709ed65a69b154f88125671c94fb4da7e3b75af1b3cff3c0fae0a2627ffcb8c8a4c387ba9eba8a3d227875dba53d747b552983e26666a3083403a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CACC3081-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
15KB

MD5
000754da4d8cdb2d997aaa1e8197b395

SHA1
73587d02f6d92e597cc13b3676c6664197d01cf3

SHA256
12f495443d9f268d5ca29c7d2fc54c0a8cbd979fdd339fda9cb7b941fba04607

SHA512
c111793fe09913375e1a099920533f278ededa571c1e924eaa4db371f7ac54421267aab28516ad5b2a5c143a6485f3422318e779493bcc3c2450676ac757908e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CADF3B81-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
5KB

MD5
700658a6342ed8c212bd13292da6d00a

SHA1
a44c4fd34b55ce92a263661b132561896e0a7ac6

SHA256
2d673da5f3ce36f1b310832ddad2ef56a5b4a23471e5d7924b6d98e0e7f5198b

SHA512
7efcb3c054a5346d11a0d73a58d70e609fcca16c4db113e0ecc7f46064da305ef7c9e139cdf26623b6aaa245763d597bd631f2dcf6ee62e752ef4c59e89e0900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB79F4E1-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
3KB

MD5
ebdd60e4f64999f7113bef80071f1093

SHA1
84579ec7dfa990d55cab6ad319946f7abf1ed3ec

SHA256
94e214864c9ac50816a58fd70d9895f522bd39bb684deb88417321657691cb45

SHA512
d361da13aea61aca719b8c5ada170b503cc3d0072ebcbc7b3c9bc03a018717048e07280256d2e90bb1874d0adba35cca5159795bf48fc67695c974dd47672a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB79F4E1-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
5KB

MD5
90dd4106e14a717854f7faddc8d2d6b9

SHA1
a0eddcb0e25719be51389258d2e280417c2c9c29

SHA256
9d091c48f13e51d422ed781e24755281488f2ba8e8424b2406a3d67f6d1043ce

SHA512
5fcdf3c79ced36bca89df37e48eec5db4669264c288193d852186853140f16d2210e1b4e28e44bcf5b93dfc731d766954b4e0d6afa8fdedc5249efdec3f87cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB91C2A1-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
3KB

MD5
4a085c301b52851a240f2636348a6f4a

SHA1
8743357282d868349bd134d70faa08bc504fb702

SHA256
d8b92e5aac1b3326c22babe6cfde500bb2e99e15cf07cc46a15a105ed2e5b0b3

SHA512
26737211d30b8946d34314ad877bd14454d09ec4bf7df3bf709c7b56e3c1d9827bdc29e243c01ff5014198f23a6df5cd9218a9a414531a41a0281b8a3dd88de6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F0E3EDD1-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
4KB

MD5
26f5b121b4e8991027d975e3a185f80c

SHA1
7692c32e3df0027db9ba2840f4cf0efc5f380cc6

SHA256
5c83a43d85857ad226910796449af7c41dfb909b7c9719de3908246fcf59dc72

SHA512
bd9d3be193491878aa845d0daecd3dbb66aaf1679b7e55ed6312fe19a617c03e81d4a5888ea16cb2fecced33eea808743a2c0e9859f73544e7f7c1992a0b8e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F2D95531-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
5KB

MD5
af3965e0b0bf65cfc18a98dde4236514

SHA1
8eb4ccd4bfba67184b41159ae1e8d5fb301a7b2c

SHA256
e2787f9e380199deb45353d4ea9942dbd31a9bee5fe9ad330bafa23e0934cc17

SHA512
3a0b51c04b7d6e89a7b0fb475eed6600d0ff8bbcb8d4fd44f33d5f481db93eee729eb7cf75351e1e7141142eab1df5428fa0dde056b9cf4394f8d399834d87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F54BDBD1-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
3KB

MD5
3f5d9278d786128c269d01552236f300

SHA1
4961fc618ec44d83ac4b763fff11fd6bb7ea623a

SHA256
8f4af3749f2bb4dddd718c47a27fe6160c3670ff69e690e60c150199c89c282c

SHA512
8f2313a3bd909d765aecbb50f6ceb63de3221fe0c9c2fb9c38c04ba5b7cae4c7f811dd94851f40a79886fc15f232ae286a8827b1cfc4b1175f771de1a604c6d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F6F45BB1-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
5KB

MD5
ce93774e0f21c7068235190149e3e90b

SHA1
1487e87abae5fee921b1714e8d9c02db04991a2d

SHA256
11254dfeb94d0c0f5e93d9164787c81f6b1343026366e40362ad67adeac2c9b6

SHA512
b448f32c755b96d37f410a1246a30229224c53e2568a756adb7a5ac8d72548f5b32418e4a60fcb0fd8354dea6bf6f6b6b4ff0be75149908717ffbec79893d858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F87E3001-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
5KB

MD5
cb7b3f1497772ad7151d7d9444540335

SHA1
779bb85ce094ab11bc18f83890c7d5ae9072842f

SHA256
2bf6aa251e76f0eaa11f57acc2ed978f65a351f7949615cab62dc8d6da4a9017

SHA512
577a6ef2e5c1273a577415918cef7504bde212d77d78f45999062a89e77f223a732b21b9f04593326e4fc5d28961be5282b033a63c91662a560100bf00746ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F8ADCB81-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
4KB

MD5
8cc3f1b63643f48df8010864be58079e

SHA1
537c331d1ef84a6f68a8f123a5fa4d7d751f6cca

SHA256
9d768d86237c6837ea6575bb57bbd47238bd07b6b12b8bb7cb83b39463b06068

SHA512
a438849a6f8f919b536ce76a4f6caed391972a6266df532236a7beb55dcfbf921d0b1493840f21fc14e4232d4ca151eb1043bbe47e839f251576d92179fac429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F8ADCB81-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
5KB

MD5
fa982fc2104cefe20cff6605330d89fc

SHA1
1649f3cf69a871fddc4c44ac6343b896f6bd1df2

SHA256
8886487f459dfa1e06960b17342f84535ed046620d4f6af383170133a05e602e

SHA512
c209f36a0096f26b73f30869e8cef76249c5f79815c38e509f05e1e73e42c997a71158c6b57f2ad47f1e6bc1653d9b66a2c984933cd10eb35ea49cf7f71ebe90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CACC3083-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
3KB

MD5
d0868705f075e616a82c11a7775f37f4

SHA1
285caf91b4754959ca7241d6dc440ad956e69b11

SHA256
732710ee5f4b66f1540ba7ecb6205d3540c2fa962c01b721a802a2f20d0dfeb5

SHA512
f070b4a87a6bfacafd053284e3118075534a5db9ace102659564325e68f8e7235ff1e8bbb108dfc12cc540db2b3df467816b172f7459e40af567495de2459a43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D1738731-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
3KB

MD5
b126b1204dbc227fbf58de8a39ddf9eb

SHA1
28c47697df808af4999dda8d118e6184eb461e44

SHA256
017048779246f5012b2b714f918e2cd3824897499ef35e9131d547e6b80568bf

SHA512
c9373e453987a79dbfe8ce5d73c62deb1cc969fbd9fd4b6f3a5e5f5da831b7eb1b80f6b87096f2eabdd553a216bf2b3f9194ef70be0d17f6b17f4c68cca721f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D1738732-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
3KB

MD5
e5cba9c0716c12624390b69c27b9b113

SHA1
e51eb6a9450a67a76b745bbadf533860533e9b4e

SHA256
537be196abc6873e5c16e9231c6612b2bc97dff2b70c099be67a4f3f42d0c7c3

SHA512
1482ae98c3aff311166175e08bea8ea6c22a44e080141f0bbddb8ea01208390d6baa7d5ec852216543e18bb5ca0abde6a7810a32b6cd964dfa36434fcb1c54d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D1738733-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
3KB

MD5
ab070d4256b6a07e8c275ad878d6f160

SHA1
73527dd23849f2d13bd5d575709b3b62c6d89c8f

SHA256
c05f8fb009a8a53772e704f371e5359105f11d1bd831942e545fa325288f3fb3

SHA512
f5b02d6be775268fdea305ed710d40887058049fa9afed64072f7d4372e65f3fc6d584c63125f612e58801b429779ca2e19d39dfd8409683a250c3a6671538c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D1738734-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
3KB

MD5
a3507ca20155a79980e1cd4e2cf4bdb6

SHA1
adfdfe68f2ca4545fbe7912fdecd03c22d513846

SHA256
a1b693959587d668295eb32c41dc372110cadbeceb1d502d6e17e43f91d40e0c

SHA512
7120e1695a7087bc60541c57bd4dde358693287d4db4d96cf1d132a4c1e6e40c77c7fc4e6a65d5549368c0ab2aa352adf0f8d239b098105c21db7d31fee792b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DA3188E2-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
4KB

MD5
e937fe0f44a0a9f82b2d9af719ebba20

SHA1
4f7bad45fdee3058606fc0a0304090d0eab01143

SHA256
e83d97eac967714340750640cb228c5d9625d9d1a3fda0811dae47d0c0bc3588

SHA512
48790f43209aada2f7a1f9c5f635d89bc7d69a4d43ae6f4874376327dcd0f0bbda3a36ac48af3d20f150a880b585bea184eef4b057e5d94f6567ed90a2ee4559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DA3188E4-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
4KB

MD5
b485da9b1a314936d76b11166770d8fa

SHA1
70f75c89628e2bfb9ff6e483f8b4253f73fd383e

SHA256
e31f8d6383aac52afca1fe066362d73ab05e88ee4c0af53ca4a15b6b7bacf089

SHA512
93a2a99fa04308067785a8a3eb656e57513767e14c25429dd4ed751d7b7a9e6d2ad8d0bf0895d747c47c4dfa2ebf8b8012750549b10da00c642ca6e0aa79f39f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DA3188E5-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
3KB

MD5
6341173d1feaf75fcba0c770a4c703b9

SHA1
1afe1aa1ce38032c03e0e03514a7bc4fc77dc2ca

SHA256
bdc6227c0276a27dd13659fde46ea1d34f4d168ade894108306a495772a1cec7

SHA512
9517d18b885e61c1962dd647fc6ab612a7c5bce0edc007dfe39ef315ce5244aaf993ddb721529f62a2ddd59c08b41c52458fc7f2a5f6257e2248a8c5c4a597dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E0C61AE0-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
3KB

MD5
5017f85877f750c939ef9ed39935bf19

SHA1
5c0904d9f6f9b847fd6f80deabf4ed0c85688370

SHA256
78f25e18275c14d70b5a18c79a2104ad68b1b2e902f818b86001f3908da13ed7

SHA512
359e03f5bcfad3d53fb6a0097e1825cb2f11f7ad9a229441e98113982c36436a7d29d6f37c0ac6faf8960a9a9603c7ab0a66701e8ad5a2e22d7da8ae98e2346a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E0C61AE2-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
4KB

MD5
77c35a5a51d8e68c60d3fe64e66cbeed

SHA1
043d98347e921b73ce467b58e33971c1366e0b1c

SHA256
621fcd3277dc088b6140995724fc413dd34613d272c7199ea02840db405bf55d

SHA512
3c59dfeb52a5770ddc5559bef4e31fe90b2876b55a356ad15b9f00fa2546129a78952acae1db6e0f98b85978da483802c2b2efc9c787a6ccb35d4ee0c244cf59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E0C61AE4-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
3KB

MD5
d85d47110626cea716938a1fcbf85014

SHA1
12a5a53bc6ac5db64fcaaddd430118733566aa00

SHA256
4751ac9fd547087c0c2b7787e3066de81cd04755549b7584d03aa9ee3039a794

SHA512
25a2f507b8a61e1073d0bc1c28a966785ab0146f7eb4fdec751851192f3f43f4e6b069d308e23042aabfbaefe4e20227cc5fb9c1ca3840714240c0d8facb0fd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E0C61AE5-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
3KB

MD5
ba36ae3a4cae183204f9823faf98aed2

SHA1
3665b369d9cf10dfef438e00ec859811ad35d837

SHA256
72deb829dedc9eafff57bdb297954343ce8c82f6f76f2829179e1492dd3147be

SHA512
4f672a9f81684d2bd5650b98a4a65c53f4b98b7556148e83611b2bf92eb638846933d129cb3a60d1734e6659a896d5542bffae1243d767b9af83b0b390704efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E99819C0-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
3KB

MD5
303f8005f94e123f73bdc1b8720cc35a

SHA1
0c70388630b49917f8c1c822ab8974d0c917f5c7

SHA256
ada5f3b862eb05c29ea5d34cc0e3eaa8878e0b29e2388a631b0d1ec2133a4014

SHA512
5b23c0ce0bcbc2c74326fcd1608c14560f7a43c0db6d9e79ea0d546ba3ceee6de8bbea76e7393ffc988b4b8af7a388b87ab51529a484833aad463319e6928344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E99819C4-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
4KB

MD5
296c6dd706f2f8b3426e8248a0e48d4c

SHA1
9ca725bbca5806bcfb904893de6d9105deb5e143

SHA256
4b26bdff1c8ed04e673649714d5ed6840585e75fc6cb778645f3705bc47019d0

SHA512
6578b21c2321c3665ab576b22fd4c1c79456a278d90e2fc37fa8e8066add674c59979a7765d1dd864f0f4043a5f113560916184604e50ab0679cad52a2c4a089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E99819C5-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
4KB

MD5
9f2cbc4a63817df39a3f1e8caba09aa1

SHA1
be2c709a7833e407851f1fbaaf2a7fb3b78b2fe1

SHA256
cef99fd0dc2419f8b47753e1205b1e4530e742050153de824c7a0120445520d5

SHA512
f5bb2f55226cec8941f0d2d32b74edc3bafca674bf604946f14d31f7f7b51a1477a04f52e9ba1b2374c20c4c15de16cc987cf0cec445a4440e80ca9bd89d154e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E99819C6-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
3KB

MD5
b669e19095aef973f5312067dce1ad0f

SHA1
8ba712584304ba56844aeac345db6bb769727374

SHA256
2fd62db554aa2a0d61de51f6a8e3a903c486760df718685b2525a0e0d2cb426e

SHA512
e4cd79b1e4c2332a7adaecf3e6726e99158599dc9f6a2b0c86b0a4cd02dcaeb7cf246db35e8cedba44c93a5351e8f895629b89b0ccb975b558cc329e6ff91452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E99819C8-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
4KB

MD5
4a478594964af6ae140f583bda9ea9ea

SHA1
fa8463684a814ad5630b2680e1fe077330a0d585

SHA256
32b89a9ff538c91a65e711ffbe61d8bd6317099e8bcee0d35e0cd1c145f78a2b

SHA512
5157c4f68026e8bc843b8c62f4101d011201dcfd0700a5437527430fba5223d7b31083865460501a1992f9c6f10b702928f4c7ea947626704e95ac6be7fa2c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E99819CA-4EE8-11ED-AC5E-E60EF78AFC87}.dat

Filesize
4KB

MD5
6b3650ac82cfde1c7db9dba329a3b0dd

SHA1
5111a76e234c98e610e9fe43cdcf76c263f51240

SHA256
e0776ba6328b2e8b8427bf2d2396377cab7488ff2f575355c42f5bc5491041d0

SHA512
8e138aa033e6677d1e6160ad690be14e957a135292930bfae76fbed7e2826115b34f0f46c1eacf4815d0bd4717aada5d030dfb4f313c9a5ee7ae9543166b422c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8ZMU0UTI.txt

Filesize
604B

MD5
634055429260e4a4e320ab5e31ec4af3

SHA1
1149f22677e57169e5ea3f9de12ef08cf6a3923e

SHA256
756eb88a1272e6deeddd914d306fe0ae8a25d0885acec90dd439152c9bc899bb

SHA512
b7bfc2746dd8cab1aabe5a2539c3acd7030311e0555d4008312a164049339cb79484a17b484cb10341a62970ada54e5ead52bf802b80fe06a3bdb8f8bdb3207b

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
54B

MD5
0c0152568cd0c8e9973ffb9214ed8839

SHA1
a67cffd6fc406ec3be89cdfaacd17578c2a53ffc

SHA256
a4ed0fd16ecbc91246d94444a25f7d4e44ed676e89fb8dd35c1f478c83c73a21

SHA512
ef7bcab7e8b4329c36787ffad9d6ea8729f5e06dfc8760b845b2bf4d3d0ca74850fea222b6d4c990cb4ba593b326c95200db78286117d5b789f397c0f8d95efa

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc

Filesize
94KB

MD5
7cbed07da55ed585f7408e7e31c628d2

SHA1
f0434c926d88c5083ff33792b5d51b788e69dcfe

SHA256
d4f5a84248795789f9ceffa9e314a1879e9d6175f4333f7954958eafd4f2bf44

SHA512
928adf529a03b376ddcd9d8d74dddeab8ff6ee1c1b18aa286b7d2eb40b225efc338cf21f3e4e066431f97d8167077ef5f3bad578a518715660b7b86056259dea

Download Submit
C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD

Filesize
56KB

MD5
bd72dcf1083b6e22ccbfa0e8e27fb1e0

SHA1
3fd23d4f14da768da7b8364d74c54932d704e74e

SHA256
90f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1

SHA512
72360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562

Download Submit
memory/712-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/712-106-0x0000000071D5D000-0x0000000071D68000-memory.dmp

Filesize
44KB

Download
memory/712-66-0x000000006A1A1000-0x000000006A1A4000-memory.dmp

Filesize
12KB

Download
memory/712-64-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/712-62-0x0000000071D5D000-0x0000000071D68000-memory.dmp

Filesize
44KB

Download
memory/916-54-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/1236-56-0x0000000070D71000-0x0000000070D73000-memory.dmp

Filesize
8KB

Download
memory/10708-349-0x0000000071D5D000-0x0000000071D68000-memory.dmp

Filesize
44KB

Download
memory/10708-362-0x0000000071D5D000-0x0000000071D68000-memory.dmp

Filesize
44KB

Download