40a6dfb2da3f160374c4c287d2b2e7657d151f5d9c1d73fd0f6682264a3b0872

Analysis

max time kernel
399s
max time network
363s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cvnwzmammv.exe
Size

316KB
MD5

f5e0962b8f5ba52bbec6f2b7f63a2bc1
SHA1

ef2437a8277565dc36ab2222d893849964eb863c
SHA256

5a520735eb6373fbb0a5e76d72b33dbb9514d7cfa3b7fb465a12bd9221ec27f3
SHA512

2c86bf5145efa719c54c33710db57a7ae1b8b4a51d3161f5ff09f6e62199ee6ac07e64f5ade3d9de576979ce588fa55984f0ce1a97d0a502a4fbf960ddf30450
SSDEEP

3072:GGmjllRDGTCzXCLA52mvVZKjzepmECnvwsC6m7Yl22wruUiLrf923F8GDsrXkd+Q:EjlnC6yQmzeAPv23

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cvnwzmammv.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
268	reg.exe
1964	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2544	chrome.exe
2544	chrome.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: SeShutdownPrivilege	2544	chrome.exe
Token: 33	912	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	912	AUDIODG.EXE
Token: 33	912	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	912	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe
2544	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2856	2544	chrome.exe	31
PID 2544 wrote to memory of 2856	2544	chrome.exe	31
PID 2544 wrote to memory of 2856	2544	chrome.exe	31
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2664	2544	chrome.exe	33
PID 2544 wrote to memory of 2232	2544	chrome.exe	34
PID 2544 wrote to memory of 2232	2544	chrome.exe	34
PID 2544 wrote to memory of 2232	2544	chrome.exe	34
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35
PID 2544 wrote to memory of 1324	2544	chrome.exe	35

C:\Users\Admin\AppData\Local\Temp\cvnwzmammv.exe
"C:\Users\Admin\AppData\Local\Temp\cvnwzmammv.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:696
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start calc.exe
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\calc.exe
    calc.exe
    3⤵
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start notepad.exe
  2⤵
  PID:1324
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start dxdiag.exe
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\dxdiag.exe
    dxdiag.exe
    3⤵
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start write.exe
  2⤵
  PID:360
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    PID:1236
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:1776
    - - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        5⤵
        
        PID:308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start charmap.exe
  2⤵
  PID:2928
- - C:\Windows\SysWOW64\charmap.exe
    charmap.exe
    3⤵
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start taskmgr.exe
  2⤵
  PID:2816
- - C:\Windows\SysWOW64\taskmgr.exe
    taskmgr.exe
    3⤵
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start winver.exe
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\winver.exe
    winver.exe
    3⤵
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown -r -t 65
  2⤵
  PID:3024
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 65
    3⤵
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start mspaint.exe
  2⤵
  PID:3004
- - C:\Windows\SysWOW64\mspaint.exe
    mspaint.exe
    3⤵
    PID:1380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start devmgmt.msc
  2⤵
  PID:2372
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\devmgmt.msc"
    3⤵
    PID:1264
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\devmgmt.msc" "C:\Windows\system32\devmgmt.msc"
      4⤵
      PID:636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start control.exe
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\control.exe
    control.exe
    3⤵
    PID:684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start mmc.exe
  2⤵
  PID:2948
- - C:\Windows\SysWOW64\mmc.exe
    mmc.exe
    3⤵
    PID:608
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start calc.exe
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\calc.exe
    calc.exe
    3⤵
    PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6669758,0x7fef6669768,0x7fef6669778
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1288,i,2045394916424916604,12626136664030279077,131072 /prefetch:2
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1288,i,2045394916424916604,12626136664030279077,131072 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1288,i,2045394916424916604,12626136664030279077,131072 /prefetch:8
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2180 --field-trial-handle=1288,i,2045394916424916604,12626136664030279077,131072 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2328 --field-trial-handle=1288,i,2045394916424916604,12626136664030279077,131072 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1536 --field-trial-handle=1288,i,2045394916424916604,12626136664030279077,131072 /prefetch:2
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1332 --field-trial-handle=1288,i,2045394916424916604,12626136664030279077,131072 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3256 --field-trial-handle=1288,i,2045394916424916604,12626136664030279077,131072 /prefetch:8
  2⤵
  PID:1476

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1796

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1956

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\29afdb32-0fba-4c2c-a900-3815bb4e2ff3.tmp

Filesize
130KB

MD5
ee714b22c59c34a9a148eb0db9f21873

SHA1
8e4b9d790cc45b0cfdb9d2855f0798c700cc8513

SHA256
096fa8fc47849e274e5325843decd9e0ee871b5c89ca30e9e40d80289831be6e

SHA512
eb65629bbc5f3e1be3b709a239d96dbff8353803d675fb72d6e8b9bda3c4bc8e07e64bef487a46cf4aa53842eec9987cd0eccd98a038067d3b9c5afba2f664b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
becebcca9d979e26e25f1f9820e48d62

SHA1
47caefb4b7975710c35d8adf8f7b1fb48838d70e

SHA256
9edae3f585d02be325d2560bc7bdfd16cbe2b294a844449178b06947cdb806c6

SHA512
d75b917683ec0508b06a068f92ea8f63c8b8025e1b99719cdbd26d8fe361274eb67557efa813ff6f0bcebc3e8f3d86a25e6c652eb4b20fb74e3d31b3ec95c4be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
34ada9ce7d066d3464fda8e5d6d49284

SHA1
c3eea97a4c4a54725410f038bc117dbb15dda319

SHA256
6cd8f93f89593b79c0be8ffffd71fe6e504cad1569de4db7b967be26d180bf30

SHA512
c1b230a3f0e849e55692076ad86a7a73b324305d09da1b243064cba8889bcd2362b7b99875df94ecf8e99844b9883ac8b4468c63c9a7820ba3fe1ae0c7bffec7

Download Submit
C:\Users\Admin\Desktop\ApproveRequest.wax

Filesize
380KB

MD5
6dc1ed05268efae0d0431e16dcf83c50

SHA1
1ad0d922c6ad4a0aa7b2265385c4e1bae8a77366

SHA256
4eb341f4cb159e3d04d7aafa5af96523d463e4f31fe9d20f95422e22ba8de86f

SHA512
33784357d57b482ce65611228e1c2b748403b3328c465d3a3821f29a661f25e37038b43f50827b4a441cf9ca2205b22c63ed1490235d767159300a468a0ab0dd

Download Submit
C:\Users\Admin\Desktop\ClearAssert.xml

Filesize
609KB

MD5
76624b82e0f4f1b9bd70a26f8fb9ec1d

SHA1
16e6ead82968ea145cf90741715cf6dfdd2328c4

SHA256
c9a5f6248414f45fd6f54c2d9b4c55d36c5038fa74c2101702bb463f22fb05e3

SHA512
efa34b6ec18f78adda7fabd63ab0e6519e3a3f34cafe2bdc4ec623cec0ac0086e48c8c2bc1c0cb9e1d9d44f2244564018e124f4a8213213c1af4026ad0fd499b

Download Submit
C:\Users\Admin\Desktop\ConfirmSkip.mpeg3

Filesize
330KB

MD5
f11d6b84206ac675284e5a133881e54f

SHA1
471568e31838cfa2b91b25cd76675ce99db392fc

SHA256
04d810c635c2dfa34965064123437ec5672964ba1ead43db309e0f2b4d3d639a

SHA512
cc0a443a1e1a631ce7257568dc84b714da8b5a6ae4cce6acf050423a5fee321f4b6e48ff63705eea633e761cd2798d9fbc6f3beff462d02dc3cc9f63729095a6

Download Submit
C:\Users\Admin\Desktop\ConvertToRegister.ttc

Filesize
583KB

MD5
4fce93e2260cddbc47371980d6a8db46

SHA1
c7dce754dd6fb5591cea7ece5f422c222f7a8a43

SHA256
19d2f71421bcd3eb3eff8cbd68b6ffa2305e92146b54849141ca1c3146661dc6

SHA512
2988c0dbeadea80865d30c0c617176b122ee2dfd52bdffa7032a1e3e2f75b9c23aa0b3643b0c9b0cf66ffed2b359f99f1b08bcbd247be36133b658b6a5e52551

Download Submit
C:\Users\Admin\Desktop\DebugBlock.vssm

Filesize
533KB

MD5
e5cac99fc0df9541810047f622013f33

SHA1
f42ce75412ea112665c017b8be1d852b08850848

SHA256
d192b746995bda67aca49cf37204cc5825fb91b5bd23b48c18036ef17952a5c3

SHA512
127f110c795f931ddb77e8942fa4e0c19a425a04f47eaf35c0043e5a886442b9767af595503887a437139b2d2713d9b932effe4386e79dabec42264d0e7c6ab5

Download Submit
C:\Users\Admin\Desktop\EnterMeasure.xps

Filesize
355KB

MD5
db869388cc5e2bd2743a6e77bdd715ba

SHA1
71ca2931bab59dab6a02290b3e6d711cc39f6d87

SHA256
d550d5449aae08e264486c026966a83574922864c7fee364c957160803de6c1e

SHA512
2b00b26391a4726d5a8c7f0dc0058f9c140f17a8efffaff9b33c2589b1ad22231baf4b34e51e6820ef017346fda4d4b6e5630b7de0bd733b0fdc57e962435709

Download Submit
C:\Users\Admin\Desktop\GrantHide.pub

Filesize
507KB

MD5
8f0e1ff9ae375087670eac642b5e9f64

SHA1
06e9c539b71174481f389c291e9bc4ed5f98a113

SHA256
b0dbc13e017f0a7cea5a0a6e3cfcad874d830483e484c9a09c653d7e6aab369e

SHA512
c7e4ec7b9d3c89dc9caaab0ede0a1cfe5d05f40d87b0b03b686bc4244e3fdef4b35001e1bd50d47236880dae20ad6fc68e1c1ce6492d483b7922e57a43c52ce0

Download Submit
C:\Users\Admin\Desktop\GroupSubmit.png

Filesize
482KB

MD5
ab93a5aaae0a53687e967ad79e3eacc1

SHA1
5d01114256f1e47e95230915c317fe0f49c26acc

SHA256
ddacace38a420ed9e7e2a599f497b575db0d5f0a4d5b916a7efafedf3d5395a6

SHA512
c06727f1c1c88bca1f2b7df7fda3781d925ff6c6b2b45721adb6cfe05eaadce5413531e552583f7243c61d2a10a5ba4679a43b44447183588a813cc59224e821

Download Submit
C:\Users\Admin\Desktop\HideWatch.wmv

Filesize
710KB

MD5
d4aabb613c60373517f51057f442974c

SHA1
3c47eed10b286e17fe1014405907ec8931eb5b6a

SHA256
63945a1b60a6eb9a61baa2fe1a01b64e3200c225b0f2971d3f29f90868d2d634

SHA512
b1b680d33b5a342e65e06fe84afe4c292451e7a578dddff713eff3731909e045f3aeaa9eafbcba142cb79284716bcd6ce4f2dbf400ec9b25e5dab2cf0f58c0bb

Download Submit
C:\Users\Admin\Desktop\InitializeConvert.aiff

Filesize
431KB

MD5
7bf1a5111b59700256465222ef22cc47

SHA1
8d8207a6e07f401339ca73f56062f02d569c63cd

SHA256
9b00bc67d8c939d3eb3de5040514ae03fe8d7aa81394f01244d704042b6549e7

SHA512
8152932020073903c624e7689fa1e801b9358d8317dbf2afe5ad0c0c5c4f68e816a2801dc55cd6ee52c7c2c59a7ea05cffa1312667cfdddce583298c02b0b733

Download Submit
C:\Users\Admin\Desktop\MeasureCompare.css

Filesize
761KB

MD5
89a7825dbff9ceec4962596397b8927f

SHA1
b49895982a598448579246de2b2a88f2e1903786

SHA256
4dc7e43f2c1b95a60ef612921fdb12968cd0ef802b3f9568ef61e1454b472576

SHA512
de3d26f7fae11a2544378ac3d328427a7ebfb24c5eca948f4eb75163284a6b44d89ca7af71914dcedc96e1566c9c751645c2d0963dbc6c658c2563fdf2fee277

Download Submit
C:\Users\Admin\Desktop\MountUninstall.DVR-MS

Filesize
787KB

MD5
37bfa841b479d2748026f52cbada930d

SHA1
c0ecab5da33efe9b15ea28c56a5789fc2f86f480

SHA256
005785edd8120e3a8ad93bbf6202035cdd72df80184080a181a2f4c764552341

SHA512
3132a1c3f923efae431270cc205f172e04b172a77031270394dc48d241943bae3c914461ec4157c451984915050ef15c43a0c9e443b5c5a3d861f0ed2f98771e

Download Submit
C:\Users\Admin\Desktop\OutMeasure.ppt

Filesize
558KB

MD5
403aeb80996aefbd5c77414a52fbb25d

SHA1
cd017046f3e904abe1ea4a65ce0e3e723cb171c0

SHA256
9e9d43fa80fac4dc514552bc7dc9cd72fd0e924fc653cff7d9886a753ac458d9

SHA512
dee0048d6d094311501b3efc4fd7eecd7e5d49bd8ef3573c358365e5d31f7fa9e8d297df9e2beb5a22752ba56e9789c576e167bba29db4f01d2285a3630cbc33

Download Submit
C:\Users\Admin\Desktop\PublishPush.vdx

Filesize
660KB

MD5
6ae0f668e6dbe86b047cd2620016044e

SHA1
14b211c5b4340b5938d862440e9317880435c881

SHA256
f3b1d7bd4b33c390caa8a462eafc41c954818f1c0001bce0cf7ccbccf6d38801

SHA512
04de1b9648eb42196067be228e1d90b3759189d408924e89c2b33e4bad6fc5932daecfb41c780ccaa9234e157a4be3b93d6f887b461f7c5314b620bfa9aa05cb

Download Submit
C:\Users\Admin\Desktop\RestoreCompare.doc

Filesize
279KB

MD5
9db74a4bb16c8d257453e6859bfb9e68

SHA1
ee04995813b5925f0c42e4134ebcb7e821153db0

SHA256
003d2acf203374f6053278f1d666c6dc8cc5d9ea544c0937b9ec053498451c41

SHA512
e74a9a24c52c51ddb6e7b8c134dd657cf423e4d8e0fcfce77c8936846b384a778c7c2de34749141df3139efe01340c91d5d5b2718fd85e08bb62bbe20e4e6060

Download Submit
C:\Users\Admin\Desktop\ResumeHide.vssx

Filesize
1.1MB

MD5
3acb1f2c1f07983088f8cda8c6469cbe

SHA1
46eb3604f7f587a102d3570b2a5a5c361b051e9a

SHA256
d160a31e4196f7f3c695ae95760f0f35c631722548296d86f148a726f55ffa1e

SHA512
98f869e02d87bfd193085ee70bac076d1deca106dcc859e35a42f10fc59659087b9568cd127551631fb52feb6ab8572e1145f1bf6b8d24e38f8396a9341e4370

Download Submit
C:\Users\Admin\Desktop\SelectInitialize.ex_

Filesize
685KB

MD5
ab02c8bafe295019fe0dc05117a16ea3

SHA1
52b8e70af1ed13291898f81eb52259f3e65405f8

SHA256
2ab0aeff9a51876570f51f035073ccd77a4dcfb8617f75e78ec68bf701c268b5

SHA512
f36b79186c7cb37ed7cfc56349f9202a9366182e7b840c7c6e6be0ce0f99f07ca981b4b692779b536bd26a4aa1e924b775f8a2d828a46cb819fe12ad67abc17e

Download Submit
C:\Users\Admin\Desktop\SelectPublish.MTS

Filesize
304KB

MD5
e56e946d473039c07aa955cfbc0cd79c

SHA1
3b1acf5780762839e45fbf98b0d1916a22ffd981

SHA256
a07ae3fa9e0b899826c7327c3bafd63a9a02a65a1c29d5c90dcec25025682b17

SHA512
14121299f92908429314a638110dc7df9331856f5a3f382fad328ac22d4b7d78aa148642ffcbee0a1f11585e9dec1bd1758cbe919dd738f0b0722fb0f2aedd0d

Download Submit
C:\Users\Admin\Desktop\StopEnable.docx

Filesize
456KB

MD5
d4acb7fd234e1f1f4109b71fe38f4dae

SHA1
9bcb972f6fbb7cfb78d9a7c05dec4231dec63daf

SHA256
23ce444340180107a2517d9c64921f97d5a3dd98aba3913299229122314ebcf8

SHA512
dc17273e61e7b1060edb9999f3fd0adcc57022499f5e1d772333b1368cff3ab06d18cf33b1ed90a72aa04e3426c233055d8f2e5596c3dae3495c6a1f6f98c47d

Download Submit
C:\Users\Admin\Desktop\TraceExpand.aif

Filesize
736KB

MD5
6af42514a49df8faa5956b6da121291b

SHA1
1ef667b94c23aa9a2bcd781d1c4f2d38312296f3

SHA256
9d0038fe17796c3e3ad03a6be585fc686695392834a859061cbd31f1935fcb43

SHA512
c6c9d0f4d4a5814f786218aac5dab25e79d372d721315cf0738d51ccf1119a3dcae8c4198a3888a431a1128b71d19487d36bf0cf191e13f9b90b13fd0cca3135

Download Submit
C:\Users\Admin\Desktop\UnprotectUnblock.docx

Filesize
406KB

MD5
a0192c2d55d5b122495ce11afb06b9e8

SHA1
6d71633eea24fc011d1505eb868189ea69769aca

SHA256
68d02b89c6c5a1f762faf9237dc981f42ff174617bc2ff18751ec7434cc9adb6

SHA512
38767ac33bc73687c9523eeb7672cba2210fb3e2e2a5c5a5ce65dc5538f262abe4e078e0ad4b377d3530974d87e950089245691c1ffff95891687fc33268d76c

Download Submit
C:\Users\Admin\Desktop\WriteJoin.png

Filesize
634KB

MD5
854e2bf918dcd371c0f43304950f634b

SHA1
19ce47a02f96b40c12f8a6bb98d930d3242a6bab

SHA256
b18f0b14db9e810a9060f64bde77462f9398d5400c5de22ac83664f6057dbe63

SHA512
0f79a3cf4511b2f05f2ceb9e77ba86f771d3fb56503c5ffd9ad7d3d32cb782a90865a58b7a14312a4bc7645e9727e1754949906b77973319de72b7edf65a1cdf

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk

Filesize
1KB

MD5
96dec898c55c96edbf23782e2ccf218d

SHA1
e34cb76a073d804641eb73a7a3366ce1b6b31cfa

SHA256
ebc1dfd509982fea0e53332be343f0266ce7c2964a06f743be9049f74f56ebef

SHA512
5a2d6375f04d03d26b385bd839c945b8fa27d50873bf05f2fe11723883f18a09fad8eba7bc21173b8bea33b2df298e366429c5b2716aa6870a699a4c7dbe7baa

Download Submit
memory/636-192-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/636-193-0x000007FEF43B0000-0x000007FEF43EA000-memory.dmp

Filesize
232KB

Download
memory/636-196-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1380-177-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1380-194-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1776-174-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/1776-176-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2264-195-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download