Analysis Overview
SHA256
775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de
Threat Level: Shows suspicious behavior
The file [email protected] was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Enumerates connected drives
Unsigned PE
Enumerates physical storage devices
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Modifies Control Panel
Suspicious behavior: AddClipboardFormatListener
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 16:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 16:28
Reported
2024-03-02 16:28
Platform
win10-20240221-en
Max time kernel
25s
Max time network
43s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\N: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\unregmp2.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\msinfo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\msinfo32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease | C:\Windows\system32\msinfo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\msinfo32.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\Menu = "57 99 26" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\MenuText = "43 130 221" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\WindowText = "238 24 128" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\InactiveBorder = "227 220 160" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\GrayText = "183 210 152" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\InactiveTitle = "179 65 168" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\Scrollbar = "8 72 46" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\ActiveTitle = "213 163 203" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\Hilight = "243 219 43" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\ButtonFace = "165 201 45" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\AppWorkspace = "225 5 109" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\HilightText = "247 204 196" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\ButtonText = "188 34 45" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\Background = "96 191 222" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\WindowFrame = "95 205 87" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\TitleText = "121 133 143" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\ActiveBorder = "40 55 168" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\ButtonShadow = "172 156 196" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\InactiveTitleText = "10 209 60" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\Colors\Window = "97 213 63" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\unregmp2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\HideEnable.nfo"
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\System32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\NewCopy.docm" /o ""
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\NewCopy.docm" /o ""
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\GetRequest.odt"
C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\HideEnable.nfo"
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | redir.metaservices.microsoft.com | udp |
| GB | 88.221.134.112:80 | redir.metaservices.microsoft.com | tcp |
| US | 8.8.8.8:53 | onlinestores.metaservices.microsoft.com | udp |
| GB | 88.221.135.114:80 | onlinestores.metaservices.microsoft.com | tcp |
| US | 8.8.8.8:53 | 112.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.80.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/2012-0-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 557b5ff876a2be11fc93b5f49b3457ca |
| SHA1 | 5b2603ad1089bbb3dcd297936d09d8a4575dbd76 |
| SHA256 | 1bfad6a29150153ceb9cd16f12548ba7a565d76857b43b1b75a06459635f8de3 |
| SHA512 | da6afe412d98380964b230cd1b8634e8b5baa5dfc493b4791157d25ffbcaf9d674bb5b5ad4201ff3482f8da432b74650db13d91210c60952ffdf1b0174684e45 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 0e807656bd86f2aef7ccf207f963973b |
| SHA1 | 27052af8d103d134369e356b793eb88ba873df55 |
| SHA256 | c509c498682bec50142782a51785655020bea27652f46e104e07a530c2ff5162 |
| SHA512 | e6c7d5e001e8322ccb1abd101d47e7f1401597518f45dd8da1d757728147262bcb3b1f96128f291e0e367c5b34026b401468e4219b27cf3c37a8d434180cd8f3 |
memory/3616-37-0x00007FFF43080000-0x00007FFF43090000-memory.dmp
memory/3616-38-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-40-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-39-0x00007FFF43080000-0x00007FFF43090000-memory.dmp
memory/3616-41-0x00007FFF43080000-0x00007FFF43090000-memory.dmp
memory/3616-42-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-43-0x00007FFF43080000-0x00007FFF43090000-memory.dmp
memory/3616-44-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-45-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-47-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-49-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-50-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-52-0x00007FFF40300000-0x00007FFF40310000-memory.dmp
memory/3616-54-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-51-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-56-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-57-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-62-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-61-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-65-0x00007FFF40300000-0x00007FFF40310000-memory.dmp
memory/3616-66-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-64-0x00007FFF80550000-0x00007FFF805FE000-memory.dmp
memory/3616-68-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-70-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-72-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-75-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-80-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/1076-83-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/1076-84-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/1076-85-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/1076-87-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/1076-91-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/1076-92-0x00007FFF43080000-0x00007FFF43090000-memory.dmp
memory/1076-94-0x00007FFF43080000-0x00007FFF43090000-memory.dmp
memory/1076-96-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/1076-98-0x00007FFF80550000-0x00007FFF805FE000-memory.dmp
memory/1076-97-0x00007FFF43080000-0x00007FFF43090000-memory.dmp
memory/1076-99-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/1076-95-0x00007FFF43080000-0x00007FFF43090000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp28390.WMC\allservices.xml
| MD5 | df03e65b8e082f24dab09c57bc9c6241 |
| SHA1 | 6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf |
| SHA256 | 155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba |
| SHA512 | ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99 |
memory/1076-93-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/1076-89-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-110-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/3616-111-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/1252-114-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/1252-119-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/1252-122-0x00007FFF80550000-0x00007FFF805FE000-memory.dmp
memory/1252-124-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/1252-127-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
memory/1252-129-0x00007FFF82FF0000-0x00007FFF831CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp31484.WMC\serviceinfo.xml
| MD5 | d58da90d6dc51f97cb84dfbffe2b2300 |
| SHA1 | 5f86b06b992a3146cb698a99932ead57a5ec4666 |
| SHA256 | 93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad |
| SHA512 | 7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636 |
memory/1252-131-0x00007FFF80550000-0x00007FFF805FE000-memory.dmp
memory/2732-138-0x00000172D9D20000-0x00000172D9D30000-memory.dmp
memory/2732-154-0x00000172DA500000-0x00000172DA510000-memory.dmp
memory/2732-173-0x00000172D8FE0000-0x00000172D8FE2000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!121\Microsoft\Windows\3720402701\2219095117.pri
| MD5 | e2b88765ee31470114e866d939a8f2c6 |
| SHA1 | e0a53b8511186ff308a0507b6304fb16cabd4e1f |
| SHA256 | 523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e |
| SHA512 | 462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4F398924-F001-4C4A-B205-D555F0538505
| MD5 | bc592e37a22535a30a54b262b57e15d8 |
| SHA1 | 739deaca786b0c5c03ad42295f07a34cf38beeec |
| SHA256 | f7f92bd9260b0a84db6ab72615f428a9dfd149c3b183b686d826fd6f465dbe74 |
| SHA512 | 4d223fb0818e20b4e1b3bf6756f473df2baadf5cff2fbfbf7b15d318bc8433b0a9d4c75d8649a46e6f94e7970d70e4adbad35b975179e9b11541b1c7e7513336 |
memory/396-335-0x0000024CF89E0000-0x0000024CF8AE0000-memory.dmp
memory/2204-360-0x00000224E8500000-0x00000224E8600000-memory.dmp
memory/2204-381-0x00000224E8800000-0x00000224E8900000-memory.dmp
memory/396-400-0x0000024CF8DE0000-0x0000024CF8EE0000-memory.dmp
memory/396-449-0x0000024CF8EE0000-0x0000024CF8FE0000-memory.dmp
memory/396-459-0x0000024CF6700000-0x0000024CF6800000-memory.dmp
memory/396-462-0x00000244F4500000-0x00000244F4600000-memory.dmp
memory/396-465-0x0000024CF81E0000-0x0000024CF82E0000-memory.dmp
memory/2204-488-0x00000224E8A00000-0x00000224E8B00000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
| MD5 | d6f790e9092792ec798abaff6d5b7692 |
| SHA1 | 19c4dd5a1ab6cbe4d4c6dc01af7a903f31a25bbf |
| SHA256 | cbb884793cdbfea7fcc7abdabf846d8d0e368f13824236e1cc8bb5616a6e45ce |
| SHA512 | 595af12cf1d1aa1a2f06fe68c6012909c41356dfc8921f27a8522a16be285c6788a796039ae5ae6956a01c0416f924313c653b854f48ea397f7b208c3b38dac9 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\74a0ad00a184813f0b8867eb2f8dfef7227a18a4.tbres
| MD5 | 54d28c7816baa9dda1c88b0ea57623bb |
| SHA1 | 89bbd55270a05fa4efaf6fd6095bf91d480d98ab |
| SHA256 | 772414f615d8ba5d1e1357f5a1e03c57814f13d71f92b58c9e609f927ab29d01 |
| SHA512 | 47538b78d7b78f69f3abd0f1903bba72ab964ddace6d931a16b50af93f0997f324d21d99802ec10a2a0ab98b3722dc2241e063ad966426c868fd409d61b6baad |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 16:28
Reported
2024-03-02 16:28
Platform
win7-20240221-en
Max time kernel
36s
Max time network
41s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\AppWorkspace = "227 22 1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\HilightText = "65 211 195" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\Scrollbar = "147 41 213" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\Background = "149 170 36" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\InactiveTitle = "241 18 203" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\Window = "219 190 121" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\WindowFrame = "90 202 27" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\GrayText = "228 97 170" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\ActiveTitle = "28 81 244" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\MenuText = "55 172 142" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\TitleText = "72 110 89" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\InactiveBorder = "2 223 181" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\ButtonShadow = "228 91 82" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\InactiveTitleText = "88 118 99" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\Menu = "213 163 110" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\WindowText = "99 30 41" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\ActiveBorder = "29 120 135" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\Hilight = "215 95 242" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\ButtonFace = "62 128 196" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Colors\ButtonText = "233 98 213" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnblockUnpublish.MTS"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\CompleteBackup.cmd" "
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\CompleteBackup.cmd" "
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RestartLock.tmp
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\MergeSelect.mp4v"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PopPush.mpeg"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ConfirmHide.ADT"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2219758,0x7fef2219768,0x7fef2219778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1356,i,2650211706393242389,18225404923079517465,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 --field-trial-handle=1356,i,2650211706393242389,18225404923079517465,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1356,i,2650211706393242389,18225404923079517465,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2192 --field-trial-handle=1356,i,2650211706393242389,18225404923079517465,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1356,i,2650211706393242389,18225404923079517465,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1148 --field-trial-handle=1356,i,2650211706393242389,18225404923079517465,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2236 --field-trial-handle=1356,i,2650211706393242389,18225404923079517465,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 --field-trial-handle=1356,i,2650211706393242389,18225404923079517465,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | redir.metaservices.microsoft.com | udp |
| GB | 88.221.134.89:80 | redir.metaservices.microsoft.com | tcp |
| US | 8.8.8.8:53 | onlinestores.metaservices.microsoft.com | udp |
| GB | 88.221.135.114:80 | onlinestores.metaservices.microsoft.com | tcp |
| US | 8.8.8.8:53 | update.videolan.org | udp |
| FR | 213.36.253.119:80 | update.videolan.org | tcp |
| FR | 213.36.253.119:80 | update.videolan.org | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
memory/2120-0-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2192-19-0x000007FEF7B70000-0x000007FEF7BA4000-memory.dmp
memory/2192-18-0x000000013F4D0000-0x000000013F5C8000-memory.dmp
memory/2192-20-0x000007FEF6110000-0x000007FEF63C4000-memory.dmp
memory/2192-21-0x000007FEF5060000-0x000007FEF610B000-memory.dmp
memory/2192-22-0x000007FEF43A0000-0x000007FEF44B2000-memory.dmp
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf
| MD5 | 781602441469750c3219c8c38b515ed4 |
| SHA1 | e885acd1cbd0b897ebcedbb145bef1c330f80595 |
| SHA256 | 81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d |
| SHA512 | 2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461 |
C:\Users\Admin\AppData\Roaming\vlc\vlcrc
| MD5 | 478a4a09f4f74e97335cd4d5e9da7ab5 |
| SHA1 | 3c4f1dc52a293f079095d0b0370428ec8e8f9315 |
| SHA256 | 884b59950669842f3c45e6da3480cd9a553538b951fb155b435b48ff38683974 |
| SHA512 | e96719663cd264132a8e1ea8c3f8a148c778a0c68caa2468ba47629393605b197dd9e00efad91f389de9fcc77b04981a0cf87f785f3c645cdc9e4ebd98060ca1 |
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
| MD5 | 8ff3a2fcecdd8d146a825711004dff7e |
| SHA1 | 110f5f2930b1566a97bae7e4806518417aa25309 |
| SHA256 | a2ed00290338953d1d3cd0fa6393f68991c465ba0ca6066789f3007c43a90ed0 |
| SHA512 | 98c282b5ed8289ba43d3084171a77f32277fd8aab1c217336f2652b9f8ea3058daa13d653eb9a0e866f5ba07a991767668288c54c07574edd2e59eed68de08c7 |
C:\Users\Admin\AppData\Local\Temp\tmp26885.WMC\allservices.xml
| MD5 | df03e65b8e082f24dab09c57bc9c6241 |
| SHA1 | 6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf |
| SHA256 | 155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba |
| SHA512 | ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99 |
memory/1056-40-0x000000013FD00000-0x000000013FDF8000-memory.dmp
memory/1056-47-0x000007FEF6EA0000-0x000007FEF6ED4000-memory.dmp
memory/1056-48-0x000007FEF5E50000-0x000007FEF6104000-memory.dmp
memory/1056-49-0x000007FEFAA90000-0x000007FEFAAA8000-memory.dmp
memory/1056-50-0x000007FEF7B90000-0x000007FEF7BA7000-memory.dmp
memory/1056-51-0x000007FEF7B70000-0x000007FEF7B81000-memory.dmp
memory/1644-54-0x000007FEF6EA0000-0x000007FEF6ED4000-memory.dmp
memory/1644-63-0x000007FEF7B70000-0x000007FEF7B81000-memory.dmp
memory/1644-62-0x000007FEF7B90000-0x000007FEF7BA7000-memory.dmp
memory/1644-61-0x000007FEFAA90000-0x000007FEFAAA8000-memory.dmp
memory/1644-56-0x000007FEF5E50000-0x000007FEF6104000-memory.dmp
memory/1644-53-0x000000013FD00000-0x000000013FDF8000-memory.dmp
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
| MD5 | aa19ab57ef16fed0879ef2214ea692f4 |
| SHA1 | 59bc0259c6d80f077c4ab68dc26716e6d70d516b |
| SHA256 | 80572ec3d7614c2b64366c55e03b41bef9805336c5c16ad493a8ff31d7876526 |
| SHA512 | 4ebac692bef2c7dcc07f19c9d6c6f614cd1429dc21ed1941d85a044c752a167c92809ebff18dc4baee7792197697e2f6fc4c387a9fa8ff190b139c3ae50f9d9a |
C:\Users\Admin\AppData\Local\Temp\tmp28742.WMC\serviceinfo.xml
| MD5 | d58da90d6dc51f97cb84dfbffe2b2300 |
| SHA1 | 5f86b06b992a3146cb698a99932ead57a5ec4666 |
| SHA256 | 93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad |
| SHA512 | 7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636 |
\??\pipe\crashpad_3000_PRDFBIFNVMELOAKA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |