bandook | hxxps://drive[.]google[.]com/file/d/1u-UbTZbsdjctAnektHxM8aA9MryVPA58/view?usp=drive_web

Analysis

max time kernel
2098s
max time network
2105s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2023 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1u-UbTZbsdjctAnektHxM8aA9MryVPA58/view?usp=drive_web

Score

10^/10

bandook microsoft discovery persistence phishing rat trojan upx

Malware Config

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3924-240-0x0000000013140000-0x0000000015265000-memory.dmp	family_bandook
behavioral1/memory/3924-242-0x0000000013140000-0x0000000015265000-memory.dmp	family_bandook
behavioral1/memory/3924-243-0x0000000013140000-0x0000000015265000-memory.dmp	family_bandook
behavioral1/memory/3924-244-0x0000000013140000-0x0000000015265000-memory.dmp	family_bandook
behavioral1/memory/3924-245-0x0000000013140000-0x0000000015265000-memory.dmp	family_bandook
behavioral1/memory/3924-248-0x0000000013140000-0x0000000015265000-memory.dmp	family_bandook
behavioral1/memory/3924-249-0x0000000013140000-0x0000000015265000-memory.dmp	family_bandook
behavioral1/memory/5628-338-0x0000000013140000-0x0000000015265000-memory.dmp	family_bandook
behavioral1/memory/5628-350-0x0000000013140000-0x0000000015265000-memory.dmp	family_bandook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winsdksetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	winsdksetup.exe

Executes dropped EXE 8 IoCs

Processes:

Facturacion_07762.exeFacturacion_07762.exewinsdksetup.exewinsdksetup.exewinsdksetup.exewindbg.exewindbg.exeFacturacion_07762.exe

pid	process
1060	Facturacion_07762.exe
2772	Facturacion_07762.exe
5356	winsdksetup.exe
2384	winsdksetup.exe
4272	winsdksetup.exe
3416	windbg.exe
5420	windbg.exe
5992	Facturacion_07762.exe

Loads dropped DLL 29 IoCs

Processes:

winsdksetup.exewindbg.exewindbg.exe

pid	process
2384	winsdksetup.exe
2384	winsdksetup.exe
2384	winsdksetup.exe
2384	winsdksetup.exe
2384	winsdksetup.exe
2384	winsdksetup.exe
2384	winsdksetup.exe
2384	winsdksetup.exe
2384	winsdksetup.exe
3416	windbg.exe
3416	windbg.exe
3416	windbg.exe
3416	windbg.exe
3416	windbg.exe
3416	windbg.exe
3416	windbg.exe
3416	windbg.exe
3416	windbg.exe
3416	windbg.exe
3416	windbg.exe
5420	windbg.exe
5420	windbg.exe
5420	windbg.exe
5420	windbg.exe
5420	windbg.exe
5420	windbg.exe
5420	windbg.exe
5420	windbg.exe
5420	windbg.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3924-236-0x0000000013140000-0x0000000015265000-memory.dmp	upx
behavioral1/memory/3924-237-0x0000000013140000-0x0000000015265000-memory.dmp	upx
behavioral1/memory/3924-240-0x0000000013140000-0x0000000015265000-memory.dmp	upx
behavioral1/memory/3924-242-0x0000000013140000-0x0000000015265000-memory.dmp	upx
behavioral1/memory/3924-243-0x0000000013140000-0x0000000015265000-memory.dmp	upx
behavioral1/memory/3924-244-0x0000000013140000-0x0000000015265000-memory.dmp	upx
behavioral1/memory/3924-245-0x0000000013140000-0x0000000015265000-memory.dmp	upx
behavioral1/memory/3924-248-0x0000000013140000-0x0000000015265000-memory.dmp	upx
behavioral1/memory/3924-249-0x0000000013140000-0x0000000015265000-memory.dmp	upx
behavioral1/memory/5628-338-0x0000000013140000-0x0000000015265000-memory.dmp	upx
behavioral1/memory/5628-350-0x0000000013140000-0x0000000015265000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msinfo32.exewinsdksetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LK = "C:\\Users\\Admin\\AppData\\Roaming\\LK\\LK.exe"	msinfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7645bd51-e95b-48cd-bf4b-0e9ab7ef33b0} = "\"C:\\ProgramData\\Package Cache\\{7645bd51-e95b-48cd-bf4b-0e9ab7ef33b0}\\winsdksetup.exe\" /burn.runonce"	winsdksetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Detected potential entity reuse from brand microsoft.
phishing microsoft
Suspicious use of SetThreadContext 1 IoCs

Processes:

windbg.exe

description pid process target process

PID 5420 set thread context of 5992 5420 windbg.exe Facturacion_07762.exe

description	pid	process	target process
PID 5420 set thread context of 5992	5420	windbg.exe	Facturacion_07762.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exewindbg.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\ntkd.exe	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sdk\samples\exdi\ExdiKdSample\KdControllerLib\AsynchronousKdController.cpp	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Catalogs\cat5f7ef4904f75bf6b3b9b0f8975ad1492.cat	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\ddk\samples\kdnet\ethernet\intel\intel1g\e1000_manage.c	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\srcsrv\dbgcore.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\OptionalExtensions\JsProvider_GalleryManifest.xml	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\winext\sos\System.Collections.Immutable.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\DbgCredentialProvider.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\ddk\samples\kdnet\ethernet\intel\inc\arm\EfiBind.h	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\winext\ImageInfo\ImageInfo.js	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\CredentialProviders\GCMW\DbgCredentialProvider_gcmw.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\ddk\samples\kdnet\usb\usbfn\inc\KdNetUsbFnMp.h	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\dbh.exe	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\OptionalExtensions\Natvis_GalleryManifest.xml	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext\sos\SOS.Hosting.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\umdh.exe	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\WTTLog.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\wkernel32.pdb\0E86B33FBDC82F2F4415F9A1D2DCE6B31\downloadDDD8B46152C243618AF76DC62A8C9E8F.error	windbg.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sdk\samples\exdi\ExdiKdSample\ExdiKdSample\StaticExdiSampleServer.h	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sdk\samples\exdi\ExdiKdSample\ExdiKdSample\ExdiKdSample.cpp	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sdk\samples\exdi\ExdiGdbSrvSample\GdbSrvControllerLib\HandleHelpers.h	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\ddk\samples\kdnet\ethernet\intel\intel40g\i40e_hmc.c	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\kd.exe	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\api-ms-win-eventing-provider-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\sdk\samples\exdi\ExdiGdbSrvSample\GdbSrvControllerLib\AsynchronousGdbSrvController.h	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\symsrv.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Catalogs\catb98a31e36735eb82b3b238c68f36fbbf.cat	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Catalogs\cat34ee98a7c9420178c55f176f75c3fe10.cat	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\ddk\samples\kdnet\ethernet\kdundi\x86\kdundi.lib	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\sdk\samples\exdi\ExdiKdSample\ExdiKdSample\dllmain.cpp	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\OptionalExtensions\Usb3Kd_GalleryManifest.xml	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\OptionalExtensions\WdfKd_GalleryManifest.xml	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\sdk\samples\exdi\ExdiKdSample\ExdiKdSample\dllmain.h	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\winext\sos\Microsoft.Bcl.AsyncInterfaces.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers\gstl.natvis	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext\sos\System.Buffers.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\winext\hidkd.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\dbengprx.exe	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\srcsrv\tfs.pm	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\winext\JsProvider.d.ts	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\ddk\samples\kdserial\uartio.c	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\themes\standard.reg	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\winext\rcdrkd.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\ddk\samples\kdnet\ethernet\realtek\rt_def.h	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\winext\sos\System.Runtime.CompilerServices.Unsafe.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Catalogs\cat0253f7df0974f9d7169b410d812a5385.cat	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\OptionalExtensions\kdexts_GalleryManifest.xml	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\ddk\samples\kdserial\ioaccess.c	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\ddk\samples\kdnet\ethernet\intel\intel1g\e1000_phy.c	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\ddk\samples\kdnet\ethernet\realtek\kdrealtek.rc	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Catalogs\cat65f45ddc30ad5fc4f9873e7791f83dac.cat	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\sdk\samples\exdi\ExdiKdSample\ExdiKdSample\ArgumentHelpers.h	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\ddk\samples\kdserial\lib\arm\kdhv.lib	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winxp\wudfext.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\ddk\samples\kdnet\ethernet\intel\intel1g\e1000_i210.c	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\DbgCredentialProvider.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\winxp\minipkd.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sdk\samples\exdi\ExdiGdbSrvSample\ExdiGdbSrvSample\ReadMe.txt	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\Visualizers\windows.natvis	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\sdk\samples\exdi\ExdiGdbSrvSample\GdbSrvControllerLib\cfgExdiGdbSrvHelper.cpp	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Catalogs\cat802a07e87c65fbd441584c31e8bb0ea7.cat	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sdk\samples\exdi\ExdiGdbSrvSample\ExdiGdbSrvSample\dllmain.h	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sdk\samples\exdi\ExdiKdSample\KdControllerLib\AsynchronousKDController.h	msiexec.exe

Drops file in Windows directory 18 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e662a87.msi	msiexec.exe
File created	C:\Windows\Installer\e662a8c.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7BCA6411-E2E7-D7F5-10D4-382BA91890B1}	msiexec.exe
File created	C:\Windows\Installer\e662a86.msi	msiexec.exe
File created	C:\Windows\Installer\e662a87.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI674D.tmp	msiexec.exe
File created	C:\Windows\Installer\e662a8b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7520C851-321C-30E7-0372-74CC71E40113}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A1D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e662a82.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{78011ACC-E1CB-4B42-EDC3-91EAED6F933B}	msiexec.exe
File created	C:\Windows\Installer\e662a82.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e662a90.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BA8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e662a8c.msi	msiexec.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4776 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4776	sc.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exevssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ce060165ac6eec080000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ce0601650000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ce060165000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dce060165000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ce06016500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

msiexec.exechrome.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1B	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1d	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1C	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133439311481347923"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1c	msiexec.exe

Modifies registry class 64 IoCs

Processes:

winsdksetup.exemsiexec.exewindbg.exewindbg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{7645bd51-e95b-48cd-bf4b-0e9ab7ef33b0}\Dependents\{7645bd51-e95b-48cd-bf4b-0e9ab7ef33b0}	winsdksetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CCA11087BC1E24B4DE3C19AEDEF639B3	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	windbg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{7645bd51-e95b-48cd-bf4b-0e9ab7ef33b0}	winsdksetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	windbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	windbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	windbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	windbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1146ACB77E2E5F7D014D83B29A81091B\fef292cdfa98424cccba94f6e43d7dc4da	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1146ACB77E2E5F7D014D83B29A81091B\fe185fa2ec37e446c8924fe7f03c2c8dcc	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1146ACB77E2E5F7D014D83B29A81091B\Version = "167860317"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1146ACB77E2E5F7D014D83B29A81091B\SourceList\Media\26 = ";"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\LogicalViewMode = "3"	windbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{7645bd51-e95b-48cd-bf4b-0e9ab7ef33b0}\DisplayName = "Windows Software Development Kit - Windows 10.0.22621.2428"	winsdksetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1146ACB77E2E5F7D014D83B29A81091B\SourceList\Media\5 = ";"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\FFlags = "1"	windbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	windbg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CCA11087BC1E24B4DE3C19AEDEF639B3\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CCA11087BC1E24B4DE3C19AEDEF639B3\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{78011ACC-E1CB-4B42-EDC3-91EAED6F933B}v10.1.22621.2428\\Installers\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\158C0257C1237E03302747CC174E1031\ProductName = "Windows SDK EULA"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\158C0257C1237E03302747CC174E1031\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{7520C851-321C-30E7-0372-74CC71E40113}v10.1.22621.2428\\Installers\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1146ACB77E2E5F7D014D83B29A81091B\feb7b9575052ab4586b63f578a0d5ed6b4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1146ACB77E2E5F7D014D83B29A81091B\SourceList\Media\35 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1146ACB77E2E5F7D014D83B29A81091B\SourceList\Media\47 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CCA11087BC1E24B4DE3C19AEDEF639B3\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.Windows.WindowsSDKEULA.x86.10.22621\Dependents\{7645bd51-e95b-48cd-bf4b-0e9ab7ef33b0}	winsdksetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1146ACB77E2E5F7D014D83B29A81091B\fea02ece017df24a759b8968a71f784475	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CCA11087BC1E24B4DE3C19AEDEF639B3\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\158C0257C1237E03302747CC174E1031\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{7520C851-321C-30E7-0372-74CC71E40113}v10.1.22621.2428\\Installers\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	windbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	windbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	windbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	windbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1146ACB77E2E5F7D014D83B29A81091B\fec42e8b7606bb4090a496becefe2785a8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1146ACB77E2E5F7D014D83B29A81091B\SourceList\Media\9 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	windbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = 00000000ffffffff	windbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	windbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	windbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	windbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{7645bd51-e95b-48cd-bf4b-0e9ab7ef33b0}\ = "{7645bd51-e95b-48cd-bf4b-0e9ab7ef33b0}"	winsdksetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1146ACB77E2E5F7D014D83B29A81091B\fe1a42e392ea5046cc91bb04a9cc978ddb	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1146ACB77E2E5F7D014D83B29A81091B\fea3d39805b3964dfbb2c42af17a8d8570	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1146ACB77E2E5F7D014D83B29A81091B\SourceList\Media\7 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\158C0257C1237E03302747CC174E1031\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1146ACB77E2E5F7D014D83B29A81091B\fecacc723cc50741eeb5fd7028c9688073	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1146ACB77E2E5F7D014D83B29A81091B\SourceList\Media\15 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1146ACB77E2E5F7D014D83B29A81091B\SourceList\Media\43 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1146ACB77E2E5F7D014D83B29A81091B\fe724bbd90bd1949ceb1bf35faf10f2971	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1146ACB77E2E5F7D014D83B29A81091B\SourceList\Media\23 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0	windbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	windbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1146ACB77E2E5F7D014D83B29A81091B\fe80dc9d378c1341a89860feb21c962cba	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CCA11087BC1E24B4DE3C19AEDEF639B3\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{78011ACC-E1CB-4B42-EDC3-91EAED6F933B}v10.1.22621.2428\\Installers\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0	windbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	windbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	windbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0 = 5c003100000000006857117e10004445425547477e310000440009000400efbe68570e7e6857127e2e0000002c3202000000060000000000000000000000000000009acae000440065006200750067006700650072007300000018000000	windbg.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	windbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	windbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1146ACB77E2E5F7D014D83B29A81091B\SourceList\Media\3 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1146ACB77E2E5F7D014D83B29A81091B\SourceList\Media\12 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CCA11087BC1E24B4DE3C19AEDEF639B3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CCA11087BC1E24B4DE3C19AEDEF639B3\SourceList\Net	msiexec.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exetaskmgr.exechrome.exemsinfo32.exe

pid	process
4060	chrome.exe
4060	chrome.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5232	chrome.exe
5232	chrome.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
3924	msinfo32.exe
3924	msinfo32.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

taskmgr.exeOpenWith.exeOpenWith.exewindbg.exewindbg.exe

pid process

5864 taskmgr.exe
1544 OpenWith.exe
4956 OpenWith.exe
3416 windbg.exe
5420 windbg.exe

pid	process
5864	taskmgr.exe
1544	OpenWith.exe
4956	OpenWith.exe
3416	windbg.exe
5420	windbg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

chrome.exe

pid	process
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe
Token: SeShutdownPrivilege	4060	chrome.exe
Token: SeCreatePagefilePrivilege	4060	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exe7zG.exetaskmgr.exe

pid	process
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4328	7zG.exe
5524	7zG.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
4060	chrome.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe
5864	taskmgr.exe

Suspicious use of SetWindowsHookEx 52 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exewindbg.exewindbg.exe

pid	process
6116	OpenWith.exe
6116	OpenWith.exe
6116	OpenWith.exe
6116	OpenWith.exe
6116	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
4956	OpenWith.exe
3416	windbg.exe
3416	windbg.exe
3416	windbg.exe
3416	windbg.exe
3416	windbg.exe
5420	windbg.exe
5420	windbg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4060 wrote to memory of 4664	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 4664	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 1548	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 3036	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 3036	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe
PID 4060 wrote to memory of 2832	4060	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1u-UbTZbsdjctAnektHxM8aA9MryVPA58/view?usp=drive_web
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffba83b9758,0x7ffba83b9768,0x7ffba83b9778
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:2
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:2832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:4024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4708 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:1240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4540 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5168 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2624 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6016 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6204 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3828 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:5596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=980 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5388 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:6120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=6176 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:5564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5996 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3196 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:6020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4720 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:3376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4892 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:5820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5740 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:5944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5992 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:3728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6116 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:1
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5856 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3196 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:32

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6352 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6400 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:5276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7076 --field-trial-handle=1880,i,15067652023289626594,2870136144794506087,131072 /prefetch:8
2⤵
PID:5336

C:\Users\Admin\Downloads\winsdksetup.exe
"C:\Users\Admin\Downloads\winsdksetup.exe"
2⤵
- Executes dropped EXE
PID:5356

C:\Windows\Temp\{9F859C8E-4DB4-452F-AA9F-83F96529015F}\.cr\winsdksetup.exe
"C:\Windows\Temp\{9F859C8E-4DB4-452F-AA9F-83F96529015F}\.cr\winsdksetup.exe" -burn.clean.room="C:\Users\Admin\Downloads\winsdksetup.exe" -burn.filehandle.attached=576 -burn.filehandle.self=564
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2384

C:\Windows\Temp\{06B08DD7-DFDC-45DB-984A-CD8BDF73027A}\.be\winsdksetup.exe
"C:\Windows\Temp\{06B08DD7-DFDC-45DB-984A-CD8BDF73027A}\.be\winsdksetup.exe" -q -burn.elevated BurnPipe.{7E71C21F-DFFC-4592-8631-E09DA53DF7E7} {FC1DCFEC-CC2E-4312-9843-2086DF2C120C} 2384
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:4272

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:116

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" h -scrcSHA1 -i#7zMap18828:94:7zEvent17384
1⤵
- Suspicious use of FindShellTrayWindow
PID:4328

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap16469:94:7zEvent304
1⤵
- Suspicious use of FindShellTrayWindow
PID:5524

C:\Users\Admin\Downloads\Facturacion_07762\Facturacion_07762.exe
"C:\Users\Admin\Downloads\Facturacion_07762\Facturacion_07762.exe"
1⤵
- Executes dropped EXE
PID:1060

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3924

C:\Users\Admin\Downloads\Facturacion_07762\Facturacion_07762.exe
C:\Users\Admin\Downloads\Facturacion_07762\Facturacion_07762.exe nnchwwghwgehwgewyeywyeywyye
2⤵
- Executes dropped EXE
PID:2772

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
3⤵
- Adds Run key to start application
PID:5628

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5864

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:1404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4956

C:\Windows\system32\msdt.exe
"C:\Windows\system32\msdt.exe" -id AppsDiagnostic -ep CortanaSearch
1⤵
PID:2720

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:2344

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:5480

C:\Windows\system32\sfc.exe
"C:\Windows\system32\sfc.exe" /scanfile=C:\Windows\system32\Qmgr.dll
2⤵
PID:5888

C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" sdshow bits
2⤵
- Launches sc.exe
PID:4776

C:\Windows\system32\bitsadmin.exe
"C:\Windows\system32\bitsadmin.exe" /reset /allusers
2⤵
PID:2920

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" start bits
2⤵
PID:5508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start bits
3⤵
PID:4920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5856

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:5528

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5196

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5384

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4456

C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5420

C:\Users\Admin\Downloads\Facturacion_07762\Facturacion_07762.exe
C:\Users\Admin\Downloads\Facturacion_07762\Facturacion_07762.exe
2⤵
- Executes dropped EXE
PID:5992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e662a85.rbs
Filesize
352KB

MD5
cc01a073f96b86cad9630d0441c632bd

SHA1
9d8841c3652d1c7711150847ece67880bcb73759

SHA256
ddf01d277ea24e2de4ceb5f040d14dfc557c55ad45024088ad56e6d5edf9e1ee

SHA512
f3f45a24b72193c2f8ff38b1963f00b31c8d1e92b5afc00ca01bd53e2d710f05679982e5d9b1da735f4328a231cac9f0231cbd11814977631d38df93d02c8624

Download Submit
C:\Config.Msi\e662a8a.rbs
Filesize
9KB

MD5
8c6c113b7168432be6a7c1df197da52a

SHA1
50c994d0096b658dd015fe5b44717ddff979cf26

SHA256
99d29c3b0f8c346f357ed22f5af9a5931461d771d1260368f46d557af0e0fe7c

SHA512
4d595652d553eb69dfd6e415d0de5d3fb8f798a5038390f37329a5b167fbc4e199a568eac2d1dfb124501bcbe5519ad05c2df42b561554e28219d43389ee803a

Download Submit
C:\Config.Msi\e662a8f.rbs
Filesize
10KB

MD5
d0b7e5cd198e2c53c2f35c50b203a138

SHA1
634ee5b8beaa4f96c526f80b3232fd4b68ea784c

SHA256
d860e0abf7434483a2836410e6eb1d2d9ec5e8704c83abeae17f3019df2697a4

SHA512
cf69c3ea374f8f738d1263e46718ba3ae39f16e149bf4f136ed980390bddf53c4c35fb22d9208a3b4e6e9c0dc2d04a0601e7c8bd39947b52f0f6642698cb6d23

Download Submit
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\ntdll.pdb\96EF4ED537402DAAA51D4A4212EA4B2C1\ntdll.pdb
Filesize
1.5MB

MD5
d09b58cfbc344a0696116962c27fff11

SHA1
ec6d4f80bb407083243c054264218d2fecce4091

SHA256
25425ac4b85a72123fc0ccdcca4b75947e5f39fa0f369ab4c0fca4a3bbdd6189

SHA512
af011632ebf61f902e033aea4a58b1a50e0cb5fe41f5d5ab9ff076e385cab0a5102aed44fce9d912b9dc115f61c7c7aa9b41e0f7d66f5c3c60aca42623c4847d

Download Submit
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\ole32.pdb\62499579901FB2254739642C102F2C7D1\ole32.pdb
Filesize
16.4MB

MD5
db31d6df2866a72b3520141c41be59e7

SHA1
70a7d2fc9edc71e2689ca31d881370d31603d253

SHA256
5a4043fe0c4906fabb8a3fc32fe70c01ebcd2e5a73ed897da9401a7e8fd0818d

SHA512
e30ddb1c6ea9719ad8aadb68d1326fd8843c4f9bb8b644a8f976759283bcabbf0ead8b7f1f05bfbacfe036b42a5f15b6620333c444856b9ff02a2f636951afba

Download Submit
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\wkernel32.pdb\0E86B33FBDC82F2F4415F9A1D2DCE6B31\wkernel32.pdb
Filesize
963KB

MD5
2fcf22072ceaf04c41e190a3009be5a0

SHA1
036f47711b2ef5b4384dd863392698a2a3e9edbb

SHA256
057412e65ac153bc43b618208850a3956c9f52449085f9718095f1ea1f32e667

SHA512
aaad514626fa4abfee939a462ba3c76c30dfb13e57801f55792eff8feea54d16f89f1ff07110a3f7c2dc4a3906f6b455b87a6044372bc3dafd85e977390553fb

Download Submit
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\wkernelbase.pdb\1900730DAC64C3B3EAAC33EF0E4D0DB31\wkernelbase.pdb
Filesize
10.6MB

MD5
534bc79cd35dcdd5a30d2ab0fd7b101a

SHA1
a70882225ab00998f658c701695f2510afd9d777

SHA256
ef65c3ea371f6d571dca37cbf6b5647604090a522e69c701abba4245aad98968

SHA512
2822645049ff0ccbda2964573099185f1e229b17ed79bd3435b8780cadbc77f783d9124de2f9adf2468e29b901aa2003bbc6d6a6561ee076cb5e9bb48536305c

Download Submit
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\wntdll.pdb\B6EB6DFF017F36A18E8034D67B4DA9941\wntdll.pdb
Filesize
1.6MB

MD5
1783ed29e40fb68b6854166f0cb5e3a2

SHA1
2b39cf51e4dc37dda5b261d8be6685f79a8a62ce

SHA256
a8d9cb62596c85e3c48d259f941123cee62a3e7fa39f8aae3bfa88f671bad48f

SHA512
5db332e607a003f2aae739ee256fac927a5c3ea30593aa6cd605dff9fef6586ce62c8fa3c2384ddb5cf9bfcadec73866a840bb3375597bea39588d8faa7ee46d

Download Submit
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\wuser32.pdb\F3C0F5F7EDBD50A93B24C349DF1AB55D1\wuser32.pdb
Filesize
2.2MB

MD5
41e7610d4cf2a1b858b2ca170a76d9e4

SHA1
81e97700098caf41a19908121a2d37b3a2bec33d

SHA256
8e069fa74b31db6af5b9e279a2ecd0e0708940bad4cadc899b76f036d737a629

SHA512
7a182db01c9adedca721797762416a1a6ed2b2cf4d9ae75c96d4c83f2d61fca00f3bbf5ddd9f380b5b631db68a4d097eb24ff04ea0bf4f2118dc83f139088f2f

Download Submit
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\themes\placehold2.c
Filesize
397B

MD5
fcb4a0676b7e7670a1a9dc4c239acd00

SHA1
20eb7647eca453a612d804c13a10b584f2f28d23

SHA256
cc8959c2781fe281d2e907179474a652e86906dfcb93fc5a3b4fd376d583c176

SHA512
57852d848dcf37dc68ce539cdc4666277e451c0e83ab7a7c7d951c8496ca0540932010146fe15794ab5624ae8f82f35b299679d4f3d8bbdb642eb530253c7bfb

Download Submit
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\debugger.chm
Filesize
7.2MB

MD5
1765ab37cbe4e81ba873ba49d89cbcfd

SHA1
6ff4d90c280c5dcc7e34e391c5da18159dbb74ec

SHA256
99e9d53d7aa708da8f6fa844405f9ebf1670d23222dfcb968e7ff693a98cf22e

SHA512
0016ad0ac959264621e7da0f00bb41d259701685b95dcc47601d1012cf9f489cf3247264ef0856014d7ad9bdffb51bb82e9fa51df16d8d93e9f4035a68b45b10

Download Submit
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\sdk\samples\exdi\ExdiGdbSrvSample\ExdiGdbSrvSample\targetver.h
Filesize
314B

MD5
05f2aff48de1b7f920e0fa15051a207f

SHA1
03ad3cc7b864b3e1b0a198f35e01381c27a5cfbf

SHA256
a2761fdbd4c8925741ddea678ee8398de930207e447666bc6a76d5f72684c04f

SHA512
3ce3aa07f81afed98d98abba3f2844d7679d89ed384f598eab6d09802110bc98682425972606c68c7fc3878fb4af04fd9e379d1a48f299d223717485d8660804

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
Filesize
16KB

MD5
0f84d299196cd029087d4b03a219d026

SHA1
dee4c65447198c327f485121074a1184b137a710

SHA256
6792bbbbd55f9fbbf8813517c964d3bf457ed4ebaff18956f6983da5b04c55a4

SHA512
b9e3865a8e97821cc1b4f98223454f53d0889401e8075c43213b590c6c642dcd56d7ba93715ace62fed3a156bbf186050427f749182956c3aec23c2cfc43378b

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\1508469439\2023110815.000\AppsDiagnostic.debugreport.xml
Filesize
6KB

MD5
c2c78ccf8166cd22ca3e800cce8d7272

SHA1
616bf1d4d3bd3b1f4fa93f20bf2815a41ac8b54b

SHA256
8a19479ef1070cc563e84c5cf17f29d4047bbb0e179e8bd4b29fcac991c9109b

SHA512
9299b39c751c195d9c56f31b944512c39d01d40c011a6389db0dc393dcac2e9cf5540deb54e13ce553f5aaf68e27da38e6a7ec3192d0594946d9640daf1e5d1f

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\1508469439\2023110815.000\BITSDiagnostic.debugreport.xml
Filesize
4KB

MD5
2aab0af7f72278490330875f6f74f505

SHA1
5cbb5aa9f7a8787b1298d3996712685f4f570c17

SHA256
74967b7ed53a33da0965ffdca1d4b18777f9c1c9a1db5217709cb866ee4eb3d1

SHA512
a60b132c4092b431cc847fc785a54b3dc84aebad90114911a92376ccde469efd6d588d663b301072adae2f839c5eb7d650a4d122adcc7112882b064e98a29633

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\1508469439\2023110815.000\ResultReport.xml
Filesize
3KB

MD5
720e56305a3fb2f631090534dab30832

SHA1
8b79914e07768b8a7e6723ee29b7f45d3019ceb0

SHA256
1ca74dffdd632356c125866de36ded11dd0fa4aa05752580bd71f4821638171e

SHA512
1953c3382c98836425bb4394a47f191f888f2a57a9318f4888f8b327da8ff4a7728c0d6dc65e4ad778ba16904d3ec4ff1f6c13e31a0aa4ef01b24306456d5619

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0cfdaadc-983f-4ba8-87b7-a0033f54a04f.tmp
Filesize
109KB

MD5
f9c4de632e98ddab788f72762cbb34e4

SHA1
b2d94edf0d62a7a9013cd274dcfe319f41139341

SHA256
ddd0bf9e6450da1572774a9731cd10a66b2ca6674920ac577aab3f7c7a96f638

SHA512
39c48be654e1fd6c5b36e805fa9c80d46f12fe7100ecee6e7e487ad85bd508f24d72338cdd2b710bdf1e0b1767fcce5fb6b880d8d8c5acba80c2b127c3feb44b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a
Filesize
39KB

MD5
17b9bb9509fa8aa6e3ef890dc6cb9917

SHA1
81d4f55fe01ad0a40d0d798b102ca826e97c0de1

SHA256
b1e8315c3e639293576ca2ff44b6374643ec3d70faad0b74972bd3d0183d1efe

SHA512
0a22b4d514642116d483d522bf3a86ac3fa4ed7e9931a67e401cb98ced433316711416f49682ba3014dc0249356a65122e09465d84331574c59e62c293b0344c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022
Filesize
74KB

MD5
b41f8bc23ff8bea5df6552658069bd5d

SHA1
2f9388f9ada11c40d97d6f75e2ad2d5f531a41d9

SHA256
200ace56af77a5578a373e2a6a049efb9c8b0ad523262cb23823236f4920870e

SHA512
fba041525a3ead9a89aaef1b918054f53b4f3301cac9be8edee5b3e8ea954e8f26c99427399fbd19df978a8a356a495f1dfb8709d8edf90ef4653a8470ba4acf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
431fc97689d72dd2fb4292661f518d1d

SHA1
b987c9df0a726104f46e38204cf9f6e861257132

SHA256
8b0d0091a3b2daca598102a2977ce45c457296d07101aabf9bf04e225d14a3c9

SHA512
a135c3fc785b375f55c25991b195779b690d0cf6d189c0bd992b1278904084cc9e10e6537da3b9bca7c708f3f56c0232bd96cfa5aa9b5781efa912f4eee3543b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
792B

MD5
ab47ec71641e5120045a902a0bf4c9bd

SHA1
db8d4817b0fd7c1fa37953dabb43edfa0569bb91

SHA256
1bc42ec89d9c7c71e71b5195d781f26085e4538eeea00e40ac84fce521c519cd

SHA512
7477410dbff3d2f949b273dcda0675870e20ae929258b033810df15bb1441739779ef2c0b48ae5f4d493bccc81dcd8eea71965acfa95db367cb7d074bd829a81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
051136de579264804740b1714f01e78f

SHA1
63fcf694d24a9461e035f16dfd1d84e804c85eed

SHA256
0bd483a98692c3780c95302cde587d4641dcf941f6c53679f800fd74f3455372

SHA512
cb254d01212d62ef053007b1f76bc381a30b7794eecfbb7b6256cc211cccc57d23f4ef34d7a3f1c32b80ef145d7b72b8a4dde1669a8fccb7e96732132de14490

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
4c2a64db2c37e154b565b09106a16640

SHA1
e21ad91b3c0e044cc70713421fe896759d3ed666

SHA256
0209a0efcfc14da5c0b53d9ffbb2ca2f4d6973ef89995f6f2e563349750ab766

SHA512
4b997378caf4e5226b8819fc7d1efa624ad0939b3a1d652f1eaa9aaa15a20038d26e313c3f8b619e2ae0cbd5ca5f598bc9db4428db29b36ffd620befe9d1f6df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
840B

MD5
fe23192fd47a446491d046a7fd26b3d5

SHA1
a9cf014ae9cf26a1596c2843fa174807b239a827

SHA256
dc1fd50543166eb4512c89f28f1f9a4566d05600dc6e53681b19185f4cbc9c95

SHA512
463e6118ac794a72109234834507aa61c6ca6c8ea50ad025d685a78effb86fbe8b7a1c71400752579db5eb51789be7385e0e62598e80c6b69de0bc755e96c8bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f299112c04e116fee6f492f6887ebfb0

SHA1
edda93a223bd3cc78634878ca08ad2a722ecba4c

SHA256
049736ff14334c16ba669b0932ca2a9c6ea62de11207feb731b0c11c8e4c5ab9

SHA512
cbbc90599bc3cefceec6ca0e4e8efc4bd812458ef14b011be85ab89118314a2a302b28310ba9f41fd80e08c7a8cda6ad57814b618c4130f0c9eb447776b07bd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
d90868d83d212b807b5337bcf3d1d6bb

SHA1
c7a49206eee1f91c4f4172fbee28dcb9aea9f933

SHA256
c154dd5bf3166ea127f109c9a6bb1ac5074552c1cdb2dcc9804e553a1087e64a

SHA512
65dcbfd20ad72c8a533076b2c27effa4dbd617867a0359ba8fd78b7f6b53f2f29796631d30f0257ae3ee2db63b487f6fee4ae7824789e86fe571f7f17d4c3077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
2bac1a440c8e9b5695d7e6e2b9ed287f

SHA1
5d4ea43d8d79d3825ba33b608d6e005ffd150ea3

SHA256
84073b320aa315d6444667b1ebc1abe1850fc8a2669166bf085ca00fb5491c97

SHA512
6462520799a334bc1e7c0e88331d827aa706b25b4feb272bb851f0b7d446395a6a700a96bab97b6e2bbabe1d434832efe1a67508567f83c63b8a19b657c31d59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
7KB

MD5
47cead34d43c4cd1b2158a3145ca90f1

SHA1
4b8ed4cd284288145c01aec63939fdcb9e11ca4b

SHA256
b100526afa8df4af138107010bb194babb496a8e43e8d6bdc07072ebdf2892c8

SHA512
996653c449a9f1c376ab970c9ad3574a9592c435b477051915b1fff12939ddecf32133f00df04806e9c79db8f770a8660ada6f6cfc76430d4aef8037d5b8aa5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
11e3034653ea65e88ffcdf5adb97e00e

SHA1
833a140462f527bbc487b5afbbff608eda18c4b3

SHA256
a6f2df02470d6940381029d8f806bffeaa23cd81fbcb5d95abb9777b7a7bf05c

SHA512
3f0dd1ed06055ff0b74c5f1b04f1cdc63bcd458ab74128cab95bfab7eb2cc56b741655d9d575d0e757eb43eb3278114d9a5e35bd39e5bd65d3edad62edcb03ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
9990fcf67ef5099a850ff56c519c4367

SHA1
62e228970b5c7117ff77321a23680de50e63f445

SHA256
e4af4365232cbc0b52fb0bb630cd82828d0f63dacc166e21fe2e3cb29541f3a9

SHA512
315794d0c6c611e3b23d25a75065054b20910642d7963c047452f68dd9676d25d709f65f7b3768b8c868e527390c585a89799bd5201ce12897dc3813a4a68c22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
615302cda39ac160a7a6011e7cddcbd4

SHA1
ad452d90da8dc550c28157d23a40bfb92eff3b64

SHA256
d447c5c5fbae425177f1a35602f95c2b40da8aafb4f9d5153ec3238f511dcbb5

SHA512
6fb2e8abdcea94bd5207227e47cd196a49dabb7a45a9eb3d40252930a73ee495af095268a535a0f9530d2458542a89844770eb752f902ab6c8fc1e6f0a75dab8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
ab1161decae4253e665c51db1bf16167

SHA1
1f8a617643f296e4f12acfdbf16b937dac2f7d9e

SHA256
feb2ee80b4637c5ff93071ccbec1f30842a4d09d928c8a06d594e44dff4bac5f

SHA512
341f5116927608bf2f4d4bab21f73b702f64c75492f2bf31af31e956f5873ecda02666ea79b99a4425205d6f2b9f30f8e5615f575da8738bc2ccbf49b79da3a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
7KB

MD5
43d7bd51bbc29ce3e4df57a4e1a8e3cb

SHA1
7b2fdc14f806cf82e38302e6b52b75b3baba2d04

SHA256
076c75296e295e566df94a707c2d7ce99b815aa0510d5047652f95e504bd0f1e

SHA512
e9c11f2686dbf3e7fc0cc1ebd2a05f2213a1378c8f20ccf815b163ff7f674442f3b109346f3da17135f6a45bacb742210e18626952629e62f105acceade2a6ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
7KB

MD5
381b11c2b652ef9903fcbba7c6d10321

SHA1
fd0a517a9f87208da268f4efe9897f56a4dda40b

SHA256
2ca7a420cb6f9cd725b97ab1a9c5ab2dc9ca5fb63a8a7bb5e627152fbcfe9f60

SHA512
71abc88bf2c4912deb332692faabdaa7c3446d6cdf782d400c449452c5b9c308a51670386611d142d1cbfd32c6e1ed1cdd415c25f90e886731e588773e130ee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
5815827bbce156fee915322ecff68157

SHA1
2ed04f9743749637dda1e080aaf3a69e06db33b4

SHA256
27cd267d37049114b0e032771471f4ed8753b9baf8d4513e1e9c324611e8bda6

SHA512
52d99e5ed521de5e5a92a0dd8583289b0da50f75360b3369a0c1d3534083b30d19d136400c1c21e77b8dacb5c463bb47c06f361ad036897da53dccabc2007054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
5174b31de52ce8620f20a5f9c507a620

SHA1
fdd0a0eda7801265ebee4c6bef84d35c430f5678

SHA256
cefa61b8d9ab01820b68e5b3c3d6d86458b9b384ebd7736fcda9dcbe71b1441d

SHA512
95b737d13f73a3f82058908a3ed180838eea16a3c7422ba0aeb9dcf51b5531cbe1e770c0ec415bcbe1a88bd378977c94de58e7121be5f7cefe5ca584bc872589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a2d65d81a75817dee1da4b5f25d1b862

SHA1
cde986bc2efdead8beb5f64cc2440667d4f4ca38

SHA256
f925c23825b1a297274f476c23919d157dbc0a8d5cb644326e97aa3431fa923b

SHA512
eb3fc30d83ae2838be06972f298bb19181a4c90bc90dee0e23969d89f09c7be683f6daad7824b8a54303b672d699c262046021f79f02995914229d0be22d91b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
45214a152dc8a672b1296b4c0d011a36

SHA1
edb3c4ff96f339f1557a54180dde4b316754adbb

SHA256
1fa7db9d94fa167ee3f79fe47a5e3eeb41850fa7196de551b5523aa0fa897dba

SHA512
3481ce26016f94bdb1450c147b401a1402163a918a9cdc9c49c38965203e1e576150b5a89c73aa10704296b74d6cab92dafbbda0e1011ca82b68263d2c3d94cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
387c119c99d2cc2d8d89449469d5a31d

SHA1
3bcaf72b322574b16c1e6a8820e4dda2f391e99c

SHA256
4aae64c0f88204be39b8969cc33aa644bfccd25656114fafee77f9376c1a32b9

SHA512
edd3bdabffc2b67f8aa8410e2c4d6fc8858ef5d572d8f98ba04ad0a06243873612cb9cff3ce1a34e2733cec42a7e5771ff8a58bc8e183d4231ae8c74a425bb92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a4ad9f225fa0bc72686456b52724398c

SHA1
6ed67f464c2da1f1d01aaa2e993e8a3282528cc9

SHA256
73474c550c20dd32e8d60dbcadc46f309e78a9a4ab24e29dfdb1cace03ded772

SHA512
b37a94e40b11212bcdc6dddf93d36d8292721e277ac03d2e1e3f13ff2decf6f924b4eb01fc47c754d5add40b09e2adf588a60826262d1e73b625a6800630c971

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
393ee60a0e301f278a417c9275988f31

SHA1
bf892d390481bbc8ac96e93a810b4b2e4c821251

SHA256
5726c13868df908a46659fb037956a50e2a38413fed249376fbc7658a9eaec6a

SHA512
4ada27c3b6dd4d72ddff1d0d58bb4b172ef14fc52ec2bc41771eacdebb4bf4bc9dae802a9489f184f9547a8484b8d1157626b2ae554c7ada086346de732bcf40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
84a04dcf529d4082649c1111c21a7af0

SHA1
6ca07e0483ade50edfb4bdc443c1a226cbf87911

SHA256
2ce154a3c0e5a9ad4bdbc0716f28b0c90b86190ea1415374d859943520d9973e

SHA512
c33c5089dda0b8767e9b817162d3fc2522b6e01abd21045ed2f5fc59e74a051353164fed857f1012cf3b2ec26f0d233ca92ab999dfa3e6ccba55a69d5012b97b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
efe5720f2eaefed9a9498dfd50d80c6f

SHA1
a5fc92bb7a6f66783a42c2b9fdde16a6fa2d6541

SHA256
14f013d9133b98c38195c3429e6d002573109a86dbcada58d44445453797b212

SHA512
22ca97d325cf2e012a107638722c1389d3380eb459311ee2f685cfe183d23414746114d9820e00c7a8a6d318bdb1e17cf77b120bb6ecc3a246a1122979cde0fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
1fd49635c61d6108f611354894fc5c99

SHA1
7316b57780737afd3cbf12303f978cc4089d3eba

SHA256
c64eed3620b4c882a6c17b2602b230a2879019e3b2128f547a2fce8200d41ceb

SHA512
7bfc359235757b1fea3948a1975da93abe3cd8ff59cce3179163b1f2567b618a4ad099bc2a33b160e49aee3f6fb93034b670a3c04191235feaaed6da30b87488

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
77eb58f5adee625a67e242b4b2336ee8

SHA1
351ecbd7129e85a86497f8688312b5b5a635364d

SHA256
e0f929ae439a656af2564f082de06de340e86e6084c40e9233f1adaa99a921d6

SHA512
ceecbd28e1212ea3af28dcddba22574d932102490164a1537fc177344def4095991c7007881f26f0810537d1d8d725d4ad341e1103cff695ca85dcd7d54508d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b580082a072609169e69424145af44ce

SHA1
13ab577e029e29479887ff5dbc4a6a77830ac173

SHA256
c0c12a37cbae4e524c909d22853caaf6f794aed82726adda97b18ca51415c1ba

SHA512
0b4b7c527d17a910a231e1bfe31fe026912cec3451feb133f242a04efed2bc5f29d5b844a1f0747ba0d7f09f6ddb697e51c471fd7fc9d0fe0ecdf21b1f1019c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d6183341285cf828981e02c8174b6fca

SHA1
83d9d36385d4f8a1501b9cdbd7082e2fba15aeaa

SHA256
7c47b1ec114e3601475197507c5f3a4359bf709a221ba2cf10ae78c1c12b7400

SHA512
89ec923f6807f9590dfa3c7ca5123fcd66de33abafba21953364ad55d021cdf5ecb4223aeba6b731b335879add3ab5f6313f84322e21647f4c488bc50238b3f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
36a8e48f13c4d85b964b5c8d62897a7d

SHA1
5a0370543765dd10861a74e57a90c06c890d60d5

SHA256
c0a9143d717e58973bdb96261d61c362b41196f888e56e502e75fc0956cf026b

SHA512
99f8f4576577a53264b4c6b5de92b2c9798af37b2b3d341eefc6f8789996251446c107f65874654af3e19cfda0e3ccddc602ee111e7f9ce0b1ad7c514999fba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
1eca71a4fa89af90f1b405c4ebdc0c4f

SHA1
ebe9485b325f3680ae44fb5673e03ea887eb75ee

SHA256
a783ead338c4fe26ccaf2573ae12c1f551ac73d5e0f6ba8f40bcb09b7158459e

SHA512
732b189fb5f22d4ad8de9a6e693ed95ec72564f15acdaf7e77e0dc63f488915de8495add44ffca5192dd7c4a5c2a4fdcf4c9bdd67a7d60e0b49203a7841d885e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
da6c2a15d14f6307381de238c1d223ff

SHA1
e229467efa4a646006a9e613b47a869e61bd6c8a

SHA256
59e93176e693e74c3c2708194d519fba10c8fbb931c154db95af86948dd30f7e

SHA512
50291c39c4995934ec65dd3c432d8589e5703445a9405d172174bf1e41ddf453be6b1bc65a0dbd58049a4fe263a2c98ab81e2fca1c312c928f772d9b4d0b5f5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
04f82f331d65e97ca5c01d8dd1c69b76

SHA1
74297c9eb2de946fddcac3b9acfe61e284d0a6d9

SHA256
f97b4ec755df9ccbeac5d0e51bbff9a30cbd3174a929fb91b9e9ff1f9758356a

SHA512
a572b0b61ed1c571b5c36452a6e2ef67d2b3999d11ead1ae034927fae2194dd77bb87478619d7f5b126f8cdc713be1d3e91ecb3ed2ef2794d3302101dcb63e3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8b9fb015202b9cb55b72ecf4aff79a07

SHA1
e4e6cd1158cc2a4d82fee7e37f9610c77f42ba60

SHA256
f424676401f8115d4b8dbcc05c61282f49ea6d421199fa8795ef139c91fbd8fc

SHA512
a9939f511df5d79408ba412bae2ad5454a9ebe238e5d81b5ac490edc4ddfb92004261f89b6612bc84fcaba28c6f92230bf627834db198f09f0d3321252b23fcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a637ee8b-05ea-49a5-9c8f-83b76073c182.tmp
Filesize
6KB

MD5
fbb7d440fd51dd5f9e6fb93100f1118f

SHA1
71b970e4b9d676e637726bca87aab75d6a8b28a1

SHA256
6913117d3627c5b7fe25f726aa78f76eb327f4bc9d11df123653b728e4600c31

SHA512
919ecc8bcb044888a4183c9280c517fc1c381fbeae58db8c8405960a223a66129ceaa91034c70b14edd3d1edb63e5a42ffd7fa064334f94f8c2ca7c593d33b80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
109KB

MD5
cc416cbf4ced94cae906e3e8ad03f958

SHA1
8b11c54b06c09bea0033ca77d42583fc9c9f9c49

SHA256
886128444d649c1c58e89aa6acacd38f416c61fb644b9576d3a5ba841f0eada8

SHA512
9c953616ee07c0e7036ddad8a2333d03e81c1d74c45df9662d4f5fd95d0b66a04c5f4198aaa959ad418bb5746126e38f397ea212aeabe449da657d64515d5717

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
109KB

MD5
0b7fcf70476229a527fefa7955192532

SHA1
de3a75f72ec8feeef711ccefcc44bba4521b067d

SHA256
4bcce47197d8adf2f3f9f1470ecdee6415758072a1a691311cf70548beb72e14

SHA512
5aaaab6459109a4f6b1c2b2a78ace72a160c334c6703c9b52c376c1cb69da856d1ff25044e9379ef3884ed48d6b5ae5306e4d602392ae108957d13a1551f0e4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
109KB

MD5
b36ec0de70fe1e5c6513ac040f89d3a9

SHA1
86e7e657e5eeace8ed6fd16de818fc659036488c

SHA256
e19925aebe2f927186d0ce29d67565c3b574ce2f117fb0a03e9d1d932cb6e75e

SHA512
d54e8ce626e101b6facec8cb6c7a4dc6d306f724eb04408a6382ec9f59b61f20fd35ebf5e7aa7dcb5a06344b87f83e87165ab52cdcdb41dd5d68b7e12b260530

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
109KB

MD5
2438c8bf499d0a0e63c9c342eddbe33e

SHA1
258d8256d7c11e65f89f301340de31cb4ad7e243

SHA256
1ad98f422e8d44ce56d943207c070c6ed8e845756ab70d521c0563df501be5af

SHA512
b8b4bb422b91bf0189c9f4028cbcf2e37b3c4ea5013fad6735372d00e5e3054c035fe432e73727c88646ccf2d3e5cf1afca1a555c25c6a6be020a4ac990805ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
109KB

MD5
fe9a5b9251408e263561d944bef2d97a

SHA1
578f701efcd5ee9489c3fcef40e24792551427ef

SHA256
81b8d64632a7ab57c317d42bda8167012a1f5c5a00cf3e7e6ac157a604858584

SHA512
0aed0f5fbd078b811f09fefa750d7deb877edd0b91173a4f2be81e381e418604505f3e2a3b58bef75b8f2a275bb74a44ec6d74d131e8bf5562ce64ef10b2c2c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
109KB

MD5
aa3084ce3f8a694ee76599c97cb18d4b

SHA1
f0824f4af6bc8cd9ea8ee125b3d462d04a3fc99e

SHA256
38760cc8b204a26efbdb0bde8a9b43acab88a325378ce4c4f1decc6f6cf43457

SHA512
eee5c86387aeee57662d98d8ac62d96968b846e8c36c0842cc190c2a6b0567dc8eeb2dd0a2abb0aabb58791e475d49ef3bb5906dbd4d5bd4da2fe8ff87080bcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
114KB

MD5
911025b34a4e16f5037de047eece37b5

SHA1
89ab6439402df658896cfe32b1066d380c78ccc2

SHA256
29a501e34316615f84781c42e51475fe4e631b559ad794009632fa8c5a90b356

SHA512
a7114f7f0ca617f39330f197430f779695e3b7e25b0531d8c98160d8d94276073dce19e6cc61f9487619563a04f2d5b73f9300e5070337c17bdb4b1ee44cd86e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
111KB

MD5
b262a2c7f800d07320e679c05072cee7

SHA1
d070e847552d91c9f14374f0f8ab0c0bc600c316

SHA256
c2f282acff58fc63e9291d9cc316457c24e5239cf442654833228d8080a1db7d

SHA512
ccb186bf5b3700aac6f0278c6ac7d62ef9c5ee2f47f7ac5a780861db69f08bc80d0b938b089e9b665b1f1ed779eb1ccba559b1de502604cbbc8a4c9316a8dd19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
118KB

MD5
5ea770f5f76b47694fbc8cd2e9cf5287

SHA1
e848988a2bd95e6f9f438bb3665958f09db89832

SHA256
14bdb8c46cb14a7c965d6e2d8cace590b213e3ce33f7a3f269797adc10dbd46b

SHA512
a5db43371b7e493b45ec4c0422194984410fa6f09b2b93ff4328479cb027559c1f55bb80ed0ffbf6601fa3a8370f46ff89e40141a0bf594db5fa9dc8c719ae2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5841c7.TMP
Filesize
97KB

MD5
b19298e47acd319230ed89be44b22a22

SHA1
5657dd83263f9f8dfbcf58f02b458708807ae860

SHA256
9b2b134c752cc0e3541308ca9579d58dc1ad3a154b04b19414e0a7cfba74b5ed

SHA512
ec49a97476f056a1b8bc98545306a79a11428c66950e961eb278f7597e81f00c9c007eb94e8a373c95a66a633fab9a8ad9b3367147feb70d5765a5316c7cb0fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sdiagnhost.exe.log
Filesize
5KB

MD5
1a1a7d6c45d89d02404e0c3bfd29b1ad

SHA1
e631f6884f183226c9456780a1a24b48b46bb277

SHA256
00c341346eda0a30aa1ad442ba6c27175f91eb5891c261e16969f940b425f0ee

SHA512
97af15c4a4eb12de158e2447960eae19854794a7a009247c8cccaf3380c45a851439c0c9900e80975508d3e74c80e31d6207684565c5e07d3179ea6af60e6a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEL14D2.tmp
Filesize
87KB

MD5
7bad046d13d24e034266368f6fc3ee14

SHA1
2a215e89800621d5c09c6b834d45f35ddbadb0c9

SHA256
3d5771e67eb7c72fa7e4a59cbf823cf7d30d6e6946809e41893e8e1bf0f2a76a

SHA512
e3a82e7407f21f84f7119f3b993e62d621399434b4b17ebb5ce9f81b38e21aaa8889ed3689c2bbd6a5b6d1c70a28a2a8bdb75e65276bfea9d035b3e6a57ba922

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEL14D3.tmp
Filesize
160KB

MD5
d52481a7e0b9230952166ae3f2484a03

SHA1
5ccf1d6845c0831dca0c92306524b904a41e35ec

SHA256
62009b79ccb4b9a664b6e97cd29862cb7ccabcd0fc8e95f3bcfe60e12a0fe154

SHA512
b50a1e15a8406b1b228a27f7cd8dd41ff774ca9e2092112879cdb656719f2634225ddd9cf2742b12a2fc8dabd337ff90ffb1eb51445426647107300794bf23fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEL14D4.tmp
Filesize
207KB

MD5
04e98666d82bf218a0b4be2ebf10947d

SHA1
7e6d48fc0678fbe9ac6fb2c10627ca671b38e359

SHA256
cecef448560cb56a3acb82c4a2b27f4c39f53ca9fdbed63d2f8ef62de0db3a09

SHA512
38d8c0fbe3d964aff637f3b8b7b7d757a7910caf72a2bb93b0b7f70ec67c19e4dc3fd8f9ca0506f171962b1db185f1005738a91835bd76462efe275ec458c0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hsci44ta.3dj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Facturacion_07762.7z
Filesize
15.2MB

MD5
9f72219b487d1eb7af0f2d5128403a09

SHA1
0b2dad56f74752d7b99a92500e405ba5cd1d5d58

SHA256
c95cf5918d9690d512ba32974c421f2fc681b5e93069b14de8863050e10361e3

SHA512
0cdc9d763bdeb63fd49701992a763195e25389d63ff9e73e30eaedd756fd430cbedf264676a2da7c6bdc3b3bfb6f8d068f60b75cd6898e844c922f634e6b3fc7

Download Submit
C:\Users\Admin\Downloads\Facturacion_07762.7z.crdownload
Filesize
15.2MB

MD5
9f72219b487d1eb7af0f2d5128403a09

SHA1
0b2dad56f74752d7b99a92500e405ba5cd1d5d58

SHA256
c95cf5918d9690d512ba32974c421f2fc681b5e93069b14de8863050e10361e3

SHA512
0cdc9d763bdeb63fd49701992a763195e25389d63ff9e73e30eaedd756fd430cbedf264676a2da7c6bdc3b3bfb6f8d068f60b75cd6898e844c922f634e6b3fc7

Download Submit
C:\Users\Admin\Downloads\Facturacion_07762\Facturacion_07762.exe
Filesize
20.2MB

MD5
c42e37aa1d41307e39a53ee327d22b9c

SHA1
f04b7f7f267ed025af8e18ce7f0ca589c5592521

SHA256
313fef1d9a30fe8a40f4a8b1aefa74dbae9b4a6a1b33138bf694df1af29dcf59

SHA512
eaeb6db090b5e350fef96d7d2217b03bd8ac1e4e45ef001792aca41dfb508f0128a41f76266a0e45a140aaf26825d4167c73308e71f6c89537b36bd3deab2de7

Download Submit
C:\Users\Admin\Downloads\Facturacion_07762\Facturacion_07762.exe
Filesize
20.2MB

MD5
c42e37aa1d41307e39a53ee327d22b9c

SHA1
f04b7f7f267ed025af8e18ce7f0ca589c5592521

SHA256
313fef1d9a30fe8a40f4a8b1aefa74dbae9b4a6a1b33138bf694df1af29dcf59

SHA512
eaeb6db090b5e350fef96d7d2217b03bd8ac1e4e45ef001792aca41dfb508f0128a41f76266a0e45a140aaf26825d4167c73308e71f6c89537b36bd3deab2de7

Download Submit
C:\Users\Admin\Downloads\Facturacion_07762\Facturacion_07762.exe
Filesize
20.2MB

MD5
c42e37aa1d41307e39a53ee327d22b9c

SHA1
f04b7f7f267ed025af8e18ce7f0ca589c5592521

SHA256
313fef1d9a30fe8a40f4a8b1aefa74dbae9b4a6a1b33138bf694df1af29dcf59

SHA512
eaeb6db090b5e350fef96d7d2217b03bd8ac1e4e45ef001792aca41dfb508f0128a41f76266a0e45a140aaf26825d4167c73308e71f6c89537b36bd3deab2de7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 329088.crdownload
Filesize
1.3MB

MD5
dd5ce6422616fc42b2d3abf21d1ba2ce

SHA1
432c1cd60eaf70058b5190606ffcc6220dd7fcbb

SHA256
3f73f59566b0cf3eddddaf61ad72bb0c6e4588a5d9e004abf68115b752ebbbd8

SHA512
717548b7b479bf23043fa2bb6891ad17a0aa74f91acb66c558cd8d0f90bac34b910e9209029cb9a4846b9ba35713a3a441e92e611af188f72e053e8974d39eea

Download Submit
C:\Users\Admin\Downloads\windbg.appinstaller
Filesize
685B

MD5
203b77b8a9ebe6597bc80234029378d5

SHA1
f8a088ce1619491c2fc9a51aeb3e27996d2d493b

SHA256
25195d02c40a3496053fec728de833275559534e30b18fa206e5182ca0dd78e8

SHA512
73e5f80982ea84c23b36fb07d44575887c4df897293c6db21bdc84f76554b6d23e967cccc8a0f846b1e7106e1e4211e660048f76e196a66b1365e331d7ee4b86

Download Submit
C:\Users\Admin\Downloads\winsdksetup.exe
Filesize
1.3MB

MD5
dd5ce6422616fc42b2d3abf21d1ba2ce

SHA1
432c1cd60eaf70058b5190606ffcc6220dd7fcbb

SHA256
3f73f59566b0cf3eddddaf61ad72bb0c6e4588a5d9e004abf68115b752ebbbd8

SHA512
717548b7b479bf23043fa2bb6891ad17a0aa74f91acb66c558cd8d0f90bac34b910e9209029cb9a4846b9ba35713a3a441e92e611af188f72e053e8974d39eea

Download Submit
C:\Users\Admin\Downloads\winsdksetup.exe
Filesize
1.3MB

MD5
dd5ce6422616fc42b2d3abf21d1ba2ce

SHA1
432c1cd60eaf70058b5190606ffcc6220dd7fcbb

SHA256
3f73f59566b0cf3eddddaf61ad72bb0c6e4588a5d9e004abf68115b752ebbbd8

SHA512
717548b7b479bf23043fa2bb6891ad17a0aa74f91acb66c558cd8d0f90bac34b910e9209029cb9a4846b9ba35713a3a441e92e611af188f72e053e8974d39eea

Download Submit
C:\Windows\Installer\e662a86.msi
Filesize
652KB

MD5
6743f61de4a0faf783ea1b31be3ad25b

SHA1
6848cb55fa88084b0a136eaa74d02b3e05f7a218

SHA256
60585456d3984be9b81a65963b068790936cb3a9667e43d2a555b27b9fe62d5d

SHA512
41677198aadd71708b3450abdb91e0db2364d0e25aa2092f0a85d3fc098d304141a9facf9936b5a5d0560969fbb094bf1d572cbd84e890124ef6511487097407

Download Submit
C:\Windows\Installer\e662a87.msi
Filesize
392KB

MD5
aa650fe78f03ddb36562b2b758d88424

SHA1
5aaf54b9603eca0fcccde4e015e44defd4b70834

SHA256
add211de904a8ecd0a8c8e1c8e6155a63c0012770f627d39a84abb424033fcc1

SHA512
b0dfa0600aa0f80545e057ba5028730fc9ab50af941ec440f8317e0898899785936875903cd93fc61d1fb2b1eba389868b8ad76d91bec25b4ac42efd90203bd2

Download Submit
C:\Windows\TEMP\SDIAG_b24c8984-36ca-4dfc-91ee-e37f64d5218b\RC_ConnectedAccount.ps1
Filesize
1KB

MD5
8342e391046cbe191b28cbcdf118d85b

SHA1
8100d7051de2b52b5d2a09d9bb11871244171e59

SHA256
8d17b11b565063bf920b85c060cec1aea950c73a399e14438adc6b5257dd01de

SHA512
1f6c658890b531deec56df822e8e777b8cb16779cbf74539fde1265cdca95e7b66a49cf28e7b2f0ab4d91ae674e12ada472e267824a723e92b6a496c193d98c4

Download Submit
C:\Windows\TEMP\SDIAG_b24c8984-36ca-4dfc-91ee-e37f64d5218b\RC_UAC.ps1
Filesize
1KB

MD5
437a5bd86284243c2a673757b0c52454

SHA1
169c84cb67fa00d4bfbdfd71436f3af154a3c1c8

SHA256
c3fe4eae1a68385d582cd14e0c2b7e9ea5c9ab1badeb080bcc1dcaedad273228

SHA512
02a82c48a3c3d6332fe2801763e47af51be6bcf8d4d6d64bbe33a651ce9b294ee5d19ca0b3b6a4b2023c5393c14b000792b548d5f1aedd49bb12eac51b9249c1

Download Submit
C:\Windows\TEMP\SDIAG_b24c8984-36ca-4dfc-91ee-e37f64d5218b\RS_ConnectedAccount.ps1
Filesize
347B

MD5
f1be6a04d65e013199d27f7645c213b6

SHA1
5134b568eca37972c3ab343526ae182b1ef1cdac

SHA256
6cdfb1d817e9822f9bd1d7518e602edae89e9fc9711a320923c16ff19bbafeec

SHA512
3d8aefd1de4e527a21c3d30f6f018fa97d7d8503e23b10100b96afe88a4a84f07f3756995b5db3b546e79ae2741f11cce25f7cdba409d42b45d5ccc856ec575d

Download Submit
C:\Windows\TEMP\SDIAG_b24c8984-36ca-4dfc-91ee-e37f64d5218b\TS_Main.ps1
Filesize
1KB

MD5
f02a3b046871ec0d612a4bd993a1f9e6

SHA1
a7aed87d8b271aeba72240826d279b17b17ca976

SHA256
eea4fba8cb261d31f61a6b5f3dd7ec1f6ed90bcb927280077a8add27ef2dc0d1

SHA512
ea9fa376c1ca6c1102c1bda10a12aca27ece3a700cbc74f34d12cc353e80bf59fd2d0a641d20130dadb868ab4c237787f46cbdb9a0b778ba7e6414d88961ed3f

Download Submit
C:\Windows\TEMP\SDIAG_b24c8984-36ca-4dfc-91ee-e37f64d5218b\Utils_Apps.ps1
Filesize
10KB

MD5
cbba1eac24e8cf9f7cd5c195661b1339

SHA1
ef83711491374fe2c7d788d6425b33e351fd2a3f

SHA256
0feafecaeaece731476326acfef72ca92ddb1869d0b8df5ea39410fa9a061852

SHA512
4e89fd82ff953ef5712d3d6104f6849e6632a4b8b74c452b3a38950a37fe996b0d4aee392ac0de0438b7283fe4b72470956ac4f681d376dd6a63c6ec4aca929d

Download Submit
C:\Windows\TEMP\SDIAG_b24c8984-36ca-4dfc-91ee-e37f64d5218b\en-US\CL_LocalizationData.psd1
Filesize
3KB

MD5
cf55115ec5578177ed67dfdde29fb56f

SHA1
3c71bfc08c5b2a2554793cd14fb5602c0572f2de

SHA256
efdaa960bcf020c4cd39267b778bb26344ee422ff9f83ea0b0189abf615a7898

SHA512
eb861e223bac7c21eb439939afe85ffb5a3345417abfbbd65c637cc3a2182b7fca94c58be450bc073362dac0a6f182b12c344a2131ce60dfdc3cd6e15eb1b942

Download Submit
C:\Windows\TEMP\SDIAG_dab724be-ba67-4b55-8f07-8bd38fff3741\CL_Registry.ps1
Filesize
19KB

MD5
59f9534a3feb830e121a5bf4fda24454

SHA1
5230558a975b173fea29f65d982ffc34c96c4d14

SHA256
c0f1f9e9e9171ec757dce8cf57c0b4091fa74680571c1ff58537a2050a1e9132

SHA512
2f026e2bfa48788c2a2ffcd191f6f30cf6df78a1bcfcd602cc26c3823903c7c4dbe36f4cd2a6b38310ddeb9dc2510c11b51c708b98aab1d5c4df0cfe5a5957f9

Download Submit
C:\Windows\TEMP\SDIAG_dab724be-ba67-4b55-8f07-8bd38fff3741\RC_BITSACL.ps1
Filesize
1KB

MD5
d3791a156a0a606073c82a150f49287c

SHA1
2a08755e81c6b6fdc9123bec2dfb7849ef809479

SHA256
9bc95705bf1b51f20c603bd48ef5c0fbe0646f1f265161246613852455d7235d

SHA512
409c9f2917ad9f0d92923c839962c9cddab8a641ff60f07176ab4800f0af9c9060c0c4fe976af31cb138fbdc2047bf2a2bdca74115c344e886848321c0f267b3

Download Submit
C:\Windows\TEMP\SDIAG_dab724be-ba67-4b55-8f07-8bd38fff3741\RC_BITSDLL.ps1
Filesize
2KB

MD5
12d667b11912eecb9732500d4c943ee7

SHA1
22473792d3de8ed3669fa89710c34ce377a980b5

SHA256
ed07487d7de3ae2793e40ffd62ee0aa20131807757d41c4306b8d47849efd49d

SHA512
651673533260afe3c513a43a0680e647ea040dbc7e07382308eb192a07bd77084841da0e66c9df312450451a934587803a890a88de6c734d5254aaddd6c9fb35

Download Submit
C:\Windows\TEMP\SDIAG_dab724be-ba67-4b55-8f07-8bd38fff3741\RC_BITSRegKeys.ps1
Filesize
5KB

MD5
4749314e61791f525f2b74a9654647bf

SHA1
23fca013110dc9b7699228fbd51856bd6ee43943

SHA256
1f64b5578accea26927bc18eb926c1a1f8331563e8a14b4512e5b7f2f9219c25

SHA512
59a12c936e2bffc2272f7393d9f87a2c35228dd11d388e1d16c6de85a5e3d783a792f392d99fd32a754c3a7afba56a304bdc87da8c11408000892d2e7b862db6

Download Submit
C:\Windows\TEMP\SDIAG_dab724be-ba67-4b55-8f07-8bd38fff3741\TS_Main.ps1
Filesize
1KB

MD5
9400d4eb8fc7ebc84b4c5eca2423f815

SHA1
cc5cd42fc4b942ddc435417cfcd294d1dcc5b0c5

SHA256
4d9ee2f37025e6e87ae01ec98b6f6e19f53d5763f7955bf0d2a01973403802a8

SHA512
b9f2dafb9f8b5319fd09a0bc95a3981e0b6aea456163f3dbf82d9d6a35e2d932decf375a4fe730e766f2f6cac19fa177f3f6156c79958919b6e3224bbfbea57d

Download Submit
C:\Windows\TEMP\SDIAG_dab724be-ba67-4b55-8f07-8bd38fff3741\cl_Service.ps1
Filesize
10KB

MD5
bce5918b3d28bcfd3ecec630a51df80a

SHA1
301d7b6b6b9ad37ccd5b6450c2f9a181854ed2c3

SHA256
21b1e44e981315ebda2a671eca3c4b1d5d4262583dc72a355f2584f26b535fb5

SHA512
961ff9674454ae02ea09e83cf8192599db2123e0af9594d086e591df3717e62eaee1dc679d15f754266ab1e11f7a3a6520458754ddddfb51a2fef48a6f4199cf

Download Submit
C:\Windows\TEMP\SDIAG_dab724be-ba67-4b55-8f07-8bd38fff3741\en-US\CL_LocalizationData.psd1
Filesize
816B

MD5
b0020e1643a6b53e7e888ed5f6ef3b3d

SHA1
f8b61228028bb9abb3fd79d45f8e8d35c2e24d24

SHA256
2b44ca7ad580ed3da81ce04c3458a580d3c61e4192c81d56bf637bbb3c5d6067

SHA512
559678ab23506fa81a810814f9948322555d9a793f8558682cccf287676682ecf31fafb69f8bc18e5e3546c8d7e379c8a1cccdb93baea1402bbdabb4c69f8b48

Download Submit
C:\Windows\Temp\SDIAG_b24c8984-36ca-4dfc-91ee-e37f64d5218b\DiagPackage.dll
Filesize
148KB

MD5
9fa4e9aa8d2b93159b7178fc5635a108

SHA1
e937b2e66005c7b27bbf73be7ebe3abf3f9e6511

SHA256
3e2b6fd005274b01c930afc11e6a2c9e0c8549d5fb8c1d2a67b60485b41450c4

SHA512
baa806ff60f881d0d1acf721fe2e760194753d7957e2d083850b808938b4489dd9bff89f3362d01e50a72f29fe7e0a5205246946d3f774c134adfc75b1ad869d

Download Submit
C:\Windows\Temp\SDIAG_b24c8984-36ca-4dfc-91ee-e37f64d5218b\en-US\DiagPackage.dll.mui
Filesize
8KB

MD5
3416b2ccf47d8c556181b7161e4c7fe8

SHA1
7d4407f4fb8b273824eabf9629e49fff4731af93

SHA256
7817f254bf6daecfab16a65ee21db7de248ac1bd2ebb479eccd1002c4285ee9c

SHA512
cc3580216b2a048bfdb208d364a0dde463d0aec6402c7c8779715d0099f4174638d5765331bc5be9b7a6fd3c76d8df9d111951f64a93bd29847679d7d07ca17f

Download Submit
C:\Windows\Temp\SDIAG_b24c8984-36ca-4dfc-91ee-e37f64d5218b\result\results.xsl
Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Windows\Temp\SDIAG_dab724be-ba67-4b55-8f07-8bd38fff3741\DiagPackage.dll
Filesize
77KB

MD5
fc7504df42668c2918657d1b9a3102c9

SHA1
5f9a70a31678e2e8b9a10849ea8657702d0cb53d

SHA256
159c4d4621f4ce1f4da14246401d85a00b40c0090fd0b2640446a896127ac646

SHA512
c844f9e5ba72eddc6aca73e09214bf8372ee5676124077983b78b10b9830a5e5eabd9c9fff2650858836f995ea79b1f0502609a428797b838ac7cda3f627c0da

Download Submit
C:\Windows\Temp\SDIAG_dab724be-ba67-4b55-8f07-8bd38fff3741\en-US\DiagPackage.dll.mui
Filesize
4KB

MD5
2ad9d1abe41ad048186f196b58fd8e9a

SHA1
d9c66f6ef89ad126ef2bbb36e0bcf6fc8a0e34af

SHA256
9b9acb69e01f79160d368cdcd8a4dc81f18da6398f920b6f663938171f5f718c

SHA512
4c4e1e5bbe173dfd37c65fff64a029883b2f719a360a9f5ee0772b304a518839605528b97b1ac0319b79a6d7f284767ad6c04b3b769559e2b14600c467947d61

Download Submit
C:\Windows\Temp\{06B08DD7-DFDC-45DB-984A-CD8BDF73027A}\.ba\BootstrapperCore.config
Filesize
877B

MD5
57aa0f7b5f6f076454f075a88bcc0cc9

SHA1
b99941380123d0a30a6ca0bfc9c782841a8bf449

SHA256
361079f9f118e11ea3f05d75fd3874664c94334f453177242c8e32f0881a3527

SHA512
2635b9eeb2cbca8392283928c2c886fa2ff5238bb634fcd07e19109e057315d9dcccdcf75c35b7d92077f46a049353f5b03c515dc03ecc4228227e0133b4eb05

Download Submit
C:\Windows\Temp\{06B08DD7-DFDC-45DB-984A-CD8BDF73027A}\.ba\BootstrapperCore.dll
Filesize
87KB

MD5
7bad046d13d24e034266368f6fc3ee14

SHA1
2a215e89800621d5c09c6b834d45f35ddbadb0c9

SHA256
3d5771e67eb7c72fa7e4a59cbf823cf7d30d6e6946809e41893e8e1bf0f2a76a

SHA512
e3a82e7407f21f84f7119f3b993e62d621399434b4b17ebb5ce9f81b38e21aaa8889ed3689c2bbd6a5b6d1c70a28a2a8bdb75e65276bfea9d035b3e6a57ba922

Download Submit
C:\Windows\Temp\{06B08DD7-DFDC-45DB-984A-CD8BDF73027A}\.ba\BootstrapperCore.dll
Filesize
87KB

MD5
7bad046d13d24e034266368f6fc3ee14

SHA1
2a215e89800621d5c09c6b834d45f35ddbadb0c9

SHA256
3d5771e67eb7c72fa7e4a59cbf823cf7d30d6e6946809e41893e8e1bf0f2a76a

SHA512
e3a82e7407f21f84f7119f3b993e62d621399434b4b17ebb5ce9f81b38e21aaa8889ed3689c2bbd6a5b6d1c70a28a2a8bdb75e65276bfea9d035b3e6a57ba922

Download Submit
C:\Windows\Temp\{06B08DD7-DFDC-45DB-984A-CD8BDF73027A}\.ba\Microsoft.Bootstrapper.Presentation.dll
Filesize
207KB

MD5
04e98666d82bf218a0b4be2ebf10947d

SHA1
7e6d48fc0678fbe9ac6fb2c10627ca671b38e359

SHA256
cecef448560cb56a3acb82c4a2b27f4c39f53ca9fdbed63d2f8ef62de0db3a09

SHA512
38d8c0fbe3d964aff637f3b8b7b7d757a7910caf72a2bb93b0b7f70ec67c19e4dc3fd8f9ca0506f171962b1db185f1005738a91835bd76462efe275ec458c0a7

Download Submit
C:\Windows\Temp\{06B08DD7-DFDC-45DB-984A-CD8BDF73027A}\.ba\Microsoft.Bootstrapper.Presentation.dll
Filesize
207KB

MD5
04e98666d82bf218a0b4be2ebf10947d

SHA1
7e6d48fc0678fbe9ac6fb2c10627ca671b38e359

SHA256
cecef448560cb56a3acb82c4a2b27f4c39f53ca9fdbed63d2f8ef62de0db3a09

SHA512
38d8c0fbe3d964aff637f3b8b7b7d757a7910caf72a2bb93b0b7f70ec67c19e4dc3fd8f9ca0506f171962b1db185f1005738a91835bd76462efe275ec458c0a7

Download Submit
C:\Windows\Temp\{06B08DD7-DFDC-45DB-984A-CD8BDF73027A}\.ba\Microsoft.Bootstrapper.dll
Filesize
160KB

MD5
d52481a7e0b9230952166ae3f2484a03

SHA1
5ccf1d6845c0831dca0c92306524b904a41e35ec

SHA256
62009b79ccb4b9a664b6e97cd29862cb7ccabcd0fc8e95f3bcfe60e12a0fe154

SHA512
b50a1e15a8406b1b228a27f7cd8dd41ff774ca9e2092112879cdb656719f2634225ddd9cf2742b12a2fc8dabd337ff90ffb1eb51445426647107300794bf23fa

Download Submit
C:\Windows\Temp\{06B08DD7-DFDC-45DB-984A-CD8BDF73027A}\.ba\Microsoft.Bootstrapper.dll
Filesize
160KB

MD5
d52481a7e0b9230952166ae3f2484a03

SHA1
5ccf1d6845c0831dca0c92306524b904a41e35ec

SHA256
62009b79ccb4b9a664b6e97cd29862cb7ccabcd0fc8e95f3bcfe60e12a0fe154

SHA512
b50a1e15a8406b1b228a27f7cd8dd41ff774ca9e2092112879cdb656719f2634225ddd9cf2742b12a2fc8dabd337ff90ffb1eb51445426647107300794bf23fa

Download Submit
C:\Windows\Temp\{06B08DD7-DFDC-45DB-984A-CD8BDF73027A}\.ba\Microsoft.Diagnostics.Tracing.EventSource.dll
Filesize
166KB

MD5
ad9250c9725e55e11729256336accd56

SHA1
793fe7f04a7b39aa88ebf77deb9cf896d5136f68

SHA256
f9836c19b55583433141cbc1ae4542e65919abb0753e806b29740a732526b685

SHA512
37f85341324343fc1d783d0c8b850c143985d3e39516154979c9cc4ee1bd3440d0fd6f5c457f5de2653288edf24443f7f63b2447728a1323b31267f1697fa300

Download Submit
C:\Windows\Temp\{06B08DD7-DFDC-45DB-984A-CD8BDF73027A}\.ba\Microsoft.Diagnostics.Tracing.EventSource.dll
Filesize
166KB

MD5
ad9250c9725e55e11729256336accd56

SHA1
793fe7f04a7b39aa88ebf77deb9cf896d5136f68

SHA256
f9836c19b55583433141cbc1ae4542e65919abb0753e806b29740a732526b685

SHA512
37f85341324343fc1d783d0c8b850c143985d3e39516154979c9cc4ee1bd3440d0fd6f5c457f5de2653288edf24443f7f63b2447728a1323b31267f1697fa300

Download Submit
C:\Windows\Temp\{06B08DD7-DFDC-45DB-984A-CD8BDF73027A}\.ba\Microsoft.Diagnostics.Tracing.EventSource.dll
Filesize
166KB

MD5
ad9250c9725e55e11729256336accd56

SHA1
793fe7f04a7b39aa88ebf77deb9cf896d5136f68

SHA256
f9836c19b55583433141cbc1ae4542e65919abb0753e806b29740a732526b685

SHA512
37f85341324343fc1d783d0c8b850c143985d3e39516154979c9cc4ee1bd3440d0fd6f5c457f5de2653288edf24443f7f63b2447728a1323b31267f1697fa300

Download Submit
C:\Windows\Temp\{06B08DD7-DFDC-45DB-984A-CD8BDF73027A}\.ba\mbahost.dll
Filesize
123KB

MD5
46d25de33138cddf0c6cfe7f5ef1d58d

SHA1
d3df9be6e24d39b1d99016f38f20ae96cad1a136

SHA256
a50e81ed6221cd7e41cb02e61b7b97fb8f4d200bd69846e17faaf7230302df87

SHA512
ce8b5197ae92861fc152623ed83beaa4255cda9661ee7f4d622fe0b5772b0a2e62cb402af332857a11cdea13ae91c89f47eabac4647e9c6317b9f01876309714

Download Submit
C:\Windows\Temp\{9F859C8E-4DB4-452F-AA9F-83F96529015F}\.cr\winsdksetup.exe
Filesize
1.3MB

MD5
dd5ce6422616fc42b2d3abf21d1ba2ce

SHA1
432c1cd60eaf70058b5190606ffcc6220dd7fcbb

SHA256
3f73f59566b0cf3eddddaf61ad72bb0c6e4588a5d9e004abf68115b752ebbbd8

SHA512
717548b7b479bf23043fa2bb6891ad17a0aa74f91acb66c558cd8d0f90bac34b910e9209029cb9a4846b9ba35713a3a441e92e611af188f72e053e8974d39eea

Download Submit
C:\Windows\Temp\{9F859C8E-4DB4-452F-AA9F-83F96529015F}\.cr\winsdksetup.exe
Filesize
1.3MB

MD5
dd5ce6422616fc42b2d3abf21d1ba2ce

SHA1
432c1cd60eaf70058b5190606ffcc6220dd7fcbb

SHA256
3f73f59566b0cf3eddddaf61ad72bb0c6e4588a5d9e004abf68115b752ebbbd8

SHA512
717548b7b479bf23043fa2bb6891ad17a0aa74f91acb66c558cd8d0f90bac34b910e9209029cb9a4846b9ba35713a3a441e92e611af188f72e053e8974d39eea

Download Submit
\??\pipe\crashpad_4060_HCJUMXMYHTKKXRKP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1060-194-0x0000000000400000-0x000000000184F000-memory.dmp

Filesize
20.3MB

Download
memory/1060-157-0x0000000001A20000-0x0000000001A21000-memory.dmp

Filesize
4KB

Download
memory/1060-141-0x0000000001A20000-0x0000000001A21000-memory.dmp

Filesize
4KB

Download
memory/1060-238-0x0000000000400000-0x000000000184F000-memory.dmp

Filesize
20.3MB

Download
memory/1060-156-0x0000000000400000-0x000000000184F000-memory.dmp

Filesize
20.3MB

Download
memory/1060-224-0x0000000000400000-0x000000000184F000-memory.dmp

Filesize
20.3MB

Download
memory/1060-196-0x0000000000400000-0x000000000184F000-memory.dmp

Filesize
20.3MB

Download
memory/1060-195-0x0000000000400000-0x000000000184F000-memory.dmp

Filesize
20.3MB

Download
memory/1060-166-0x0000000000400000-0x000000000184F000-memory.dmp

Filesize
20.3MB

Download
memory/1404-260-0x000001E778E40000-0x000001E778E50000-memory.dmp

Filesize
64KB

Download
memory/1404-276-0x000001E778F40000-0x000001E778F50000-memory.dmp

Filesize
64KB

Download
memory/2344-822-0x00007FFB8F740000-0x00007FFB90201000-memory.dmp

Filesize
10.8MB

Download
memory/2344-834-0x0000029F0C180000-0x0000029F0C190000-memory.dmp

Filesize
64KB

Download
memory/2344-949-0x00007FFB8F740000-0x00007FFB90201000-memory.dmp

Filesize
10.8MB

Download
memory/2344-821-0x0000029F247D0000-0x0000029F247F2000-memory.dmp

Filesize
136KB

Download
memory/2344-823-0x0000029F0C180000-0x0000029F0C190000-memory.dmp

Filesize
64KB

Download
memory/2344-826-0x0000029F0C180000-0x0000029F0C190000-memory.dmp

Filesize
64KB

Download
memory/2344-832-0x00007FFB8F740000-0x00007FFB90201000-memory.dmp

Filesize
10.8MB

Download
memory/2344-833-0x0000029F0C180000-0x0000029F0C190000-memory.dmp

Filesize
64KB

Download
memory/2384-1217-0x0000000004170000-0x0000000004180000-memory.dmp

Filesize
64KB

Download
memory/2384-1245-0x0000000004170000-0x0000000004180000-memory.dmp

Filesize
64KB

Download
memory/2384-1320-0x0000000009F30000-0x000000000A030000-memory.dmp

Filesize
1024KB

Download
memory/2384-1312-0x0000000009F30000-0x000000000A030000-memory.dmp

Filesize
1024KB

Download
memory/2384-1225-0x00000000064B0000-0x00000000064DE000-memory.dmp

Filesize
184KB

Download
memory/2384-1211-0x0000000004170000-0x0000000004180000-memory.dmp

Filesize
64KB

Download
memory/2384-1210-0x00000000727E0000-0x0000000072F90000-memory.dmp

Filesize
7.7MB

Download
memory/2384-1319-0x0000000009F30000-0x000000000A030000-memory.dmp

Filesize
1024KB

Download
memory/2384-1313-0x0000000009F30000-0x000000000A030000-memory.dmp

Filesize
1024KB

Download
memory/2384-1229-0x0000000006800000-0x000000000682C000-memory.dmp

Filesize
176KB

Download
memory/2384-1317-0x0000000009F30000-0x000000000A030000-memory.dmp

Filesize
1024KB

Download
memory/2384-1330-0x0000000009F30000-0x000000000A030000-memory.dmp

Filesize
1024KB

Download
memory/2384-1237-0x0000000006870000-0x00000000068AA000-memory.dmp

Filesize
232KB

Download
memory/2384-1238-0x0000000004170000-0x0000000004180000-memory.dmp

Filesize
64KB

Download
memory/2384-1242-0x0000000008D70000-0x0000000008D78000-memory.dmp

Filesize
32KB

Download
memory/2384-1243-0x0000000009440000-0x0000000009478000-memory.dmp

Filesize
224KB

Download
memory/2384-1244-0x0000000008E20000-0x0000000008E2E000-memory.dmp

Filesize
56KB

Download
memory/2384-1216-0x0000000003340000-0x0000000003358000-memory.dmp

Filesize
96KB

Download
memory/2384-1246-0x00000000727E0000-0x0000000072F90000-memory.dmp

Filesize
7.7MB

Download
memory/2384-1257-0x0000000004170000-0x0000000004180000-memory.dmp

Filesize
64KB

Download
memory/2384-1314-0x0000000009F30000-0x000000000A030000-memory.dmp

Filesize
1024KB

Download
memory/2384-2909-0x00000000727E0000-0x0000000072F90000-memory.dmp

Filesize
7.7MB

Download
memory/2384-1277-0x0000000004170000-0x0000000004180000-memory.dmp

Filesize
64KB

Download
memory/2384-1316-0x0000000009F30000-0x000000000A030000-memory.dmp

Filesize
1024KB

Download
memory/2384-1287-0x0000000004170000-0x0000000004180000-memory.dmp

Filesize
64KB

Download
memory/2384-1288-0x0000000004170000-0x0000000004180000-memory.dmp

Filesize
64KB

Download
memory/2384-1295-0x000000000A490000-0x000000000A564000-memory.dmp

Filesize
848KB

Download
memory/2384-1297-0x0000000004170000-0x0000000004180000-memory.dmp

Filesize
64KB

Download
memory/2384-1300-0x0000000009330000-0x0000000009338000-memory.dmp

Filesize
32KB

Download
memory/2384-1301-0x0000000004170000-0x0000000004180000-memory.dmp

Filesize
64KB

Download
memory/2384-1304-0x0000000009F30000-0x000000000A030000-memory.dmp

Filesize
1024KB

Download
memory/2384-1306-0x0000000009F30000-0x000000000A030000-memory.dmp

Filesize
1024KB

Download
memory/2384-1307-0x0000000009F30000-0x000000000A030000-memory.dmp

Filesize
1024KB

Download
memory/2384-1309-0x0000000009F30000-0x000000000A030000-memory.dmp

Filesize
1024KB

Download
memory/2384-1310-0x0000000009F30000-0x000000000A030000-memory.dmp

Filesize
1024KB

Download
memory/2384-1311-0x0000000009F30000-0x000000000A030000-memory.dmp

Filesize
1024KB

Download
memory/2772-252-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/2772-257-0x0000000000400000-0x000000000184F000-memory.dmp

Filesize
20.3MB

Download
memory/2772-226-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/2772-250-0x0000000000400000-0x000000000184F000-memory.dmp

Filesize
20.3MB

Download
memory/2772-253-0x0000000000400000-0x000000000184F000-memory.dmp

Filesize
20.3MB

Download
memory/2772-255-0x0000000000400000-0x000000000184F000-memory.dmp

Filesize
20.3MB

Download
memory/3924-243-0x0000000013140000-0x0000000015265000-memory.dmp

Filesize
33.1MB

Download
memory/3924-240-0x0000000013140000-0x0000000015265000-memory.dmp

Filesize
33.1MB

Download
memory/3924-236-0x0000000013140000-0x0000000015265000-memory.dmp

Filesize
33.1MB

Download
memory/3924-237-0x0000000013140000-0x0000000015265000-memory.dmp

Filesize
33.1MB

Download
memory/3924-242-0x0000000013140000-0x0000000015265000-memory.dmp

Filesize
33.1MB

Download
memory/3924-244-0x0000000013140000-0x0000000015265000-memory.dmp

Filesize
33.1MB

Download
memory/3924-245-0x0000000013140000-0x0000000015265000-memory.dmp

Filesize
33.1MB

Download
memory/3924-249-0x0000000013140000-0x0000000015265000-memory.dmp

Filesize
33.1MB

Download
memory/3924-248-0x0000000013140000-0x0000000015265000-memory.dmp

Filesize
33.1MB

Download
memory/5480-853-0x00007FFB8F740000-0x00007FFB90201000-memory.dmp

Filesize
10.8MB

Download
memory/5480-851-0x00000218480C0000-0x00000218480D0000-memory.dmp

Filesize
64KB

Download
memory/5480-950-0x00007FFB8F740000-0x00007FFB90201000-memory.dmp

Filesize
10.8MB

Download
memory/5480-845-0x00000218480C0000-0x00000218480D0000-memory.dmp

Filesize
64KB

Download
memory/5480-844-0x00007FFB8F740000-0x00007FFB90201000-memory.dmp

Filesize
10.8MB

Download
memory/5480-856-0x00000218480C0000-0x00000218480D0000-memory.dmp

Filesize
64KB

Download
memory/5628-350-0x0000000013140000-0x0000000015265000-memory.dmp

Filesize
33.1MB

Download
memory/5628-338-0x0000000013140000-0x0000000015265000-memory.dmp

Filesize
33.1MB

Download
memory/5864-209-0x000002C5DB5E0000-0x000002C5DB5E1000-memory.dmp

Filesize
4KB

Download
memory/5864-208-0x000002C5DB5E0000-0x000002C5DB5E1000-memory.dmp

Filesize
4KB

Download
memory/5864-207-0x000002C5DB5E0000-0x000002C5DB5E1000-memory.dmp

Filesize
4KB

Download
memory/5864-206-0x000002C5DB5E0000-0x000002C5DB5E1000-memory.dmp

Filesize
4KB

Download
memory/5864-204-0x000002C5DB5E0000-0x000002C5DB5E1000-memory.dmp

Filesize
4KB

Download
memory/5864-205-0x000002C5DB5E0000-0x000002C5DB5E1000-memory.dmp

Filesize
4KB

Download
memory/5864-203-0x000002C5DB5E0000-0x000002C5DB5E1000-memory.dmp

Filesize
4KB

Download
memory/5864-198-0x000002C5DB5E0000-0x000002C5DB5E1000-memory.dmp

Filesize
4KB

Download
memory/5864-199-0x000002C5DB5E0000-0x000002C5DB5E1000-memory.dmp

Filesize
4KB

Download
memory/5864-197-0x000002C5DB5E0000-0x000002C5DB5E1000-memory.dmp

Filesize
4KB

Download