hxxps://ru[.]files[.]me/u/bgfhn9p85m

Resubmissions

21-04-2024 08:30

240421-kd71tsfa63 1

19-04-2024 11:38

19-04-2024 11:29

19-04-2024 11:29

19-04-2024 11:24

19-04-2024 11:20

Analysis

max time kernel
125s
max time network
133s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
19-04-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ru.files.me/u/bgfhn9p85m

Score

7^/10

pyinstaller ransomware

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

s.exes.exe

pid process

236 s.exe
2168 s.exe

pid	process
236	s.exe
2168	s.exe

Loads dropped DLL 50 IoCs

Processes:

s.exe

pid	process
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe
2168	s.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 ipinfo.io
47 ipinfo.io

flow	ioc
46	ipinfo.io
47	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

s.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\_MEI2362\\hrwpneko.jpg"	s.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

s.exe

pid process

2168 s.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\s.exe	pyinstaller

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exe

pid process

352 WMIC.exe
1576 WMIC.exe

pid	process
352	WMIC.exe
1576	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

s.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Control Panel\Desktop\WallpaperStyle = "6"	s.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Control Panel\Desktop\TileWallpaper = "0"	s.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133579992422686346"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000_Classes\Local Settings chrome.exe
NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Späti.zip:Zone.Identifier chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000_Classes\Local Settings	chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Späti.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

chrome.exetaskmgr.exes.exechrome.exe

pid	process
4192	chrome.exe
4192	chrome.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
2168	s.exe
2168	s.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
4884	chrome.exe
4884	chrome.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4192 chrome.exe
4192 chrome.exe
4192 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exetaskmgr.exe

pid	process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
892	7zG.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe

Suspicious use of SendNotifyMessage 54 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe
3416	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4192 wrote to memory of 3932	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 3932	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2400	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2916	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 2916	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe
PID 4192 wrote to memory of 476	4192	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ru.files.me/u/bgfhn9p85m
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe9c89ab58,0x7ffe9c89ab68,0x7ffe9c89ab78
2⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1808,i,11684870583399847337,1357267110502320934,131072 /prefetch:2
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1972 --field-trial-handle=1808,i,11684870583399847337,1357267110502320934,131072 /prefetch:8
2⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1808,i,11684870583399847337,1357267110502320934,131072 /prefetch:8
2⤵
PID:476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1808,i,11684870583399847337,1357267110502320934,131072 /prefetch:1
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1808,i,11684870583399847337,1357267110502320934,131072 /prefetch:1
2⤵
PID:748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1808,i,11684870583399847337,1357267110502320934,131072 /prefetch:8
2⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4172 --field-trial-handle=1808,i,11684870583399847337,1357267110502320934,131072 /prefetch:8
2⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3720 --field-trial-handle=1808,i,11684870583399847337,1357267110502320934,131072 /prefetch:1
2⤵
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3144 --field-trial-handle=1808,i,11684870583399847337,1357267110502320934,131072 /prefetch:8
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1808,i,11684870583399847337,1357267110502320934,131072 /prefetch:8
2⤵
- NTFS ADS
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1808,i,11684870583399847337,1357267110502320934,131072 /prefetch:8
2⤵
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1808,i,11684870583399847337,1357267110502320934,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4884

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4828

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap28083:72:7zEvent12173
1⤵
- Suspicious use of FindShellTrayWindow
PID:892

C:\Users\Admin\Downloads\s.exe
"C:\Users\Admin\Downloads\s.exe"
1⤵
- Executes dropped EXE
PID:236

C:\Users\Admin\Downloads\s.exe
"C:\Users\Admin\Downloads\s.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:1392

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:892

C:\Windows\System32\Wbem\wmic.exe
wmic bios get serialnumber
3⤵
PID:4016

C:\Windows\System32\Wbem\wmic.exe
wmic baseboard get manufacturer
3⤵
PID:3036

C:\Windows\System32\Wbem\wmic.exe
wmic baseboard get manufacturer
3⤵
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
3⤵
PID:2088

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
4⤵
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
3⤵
PID:1668

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
4⤵
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:4064

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:3672

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:1576

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
b1f81b89bc471eee54ad733e760bbfbc

SHA1
140e8632d099b4b14b31410fcf30b606054dc412

SHA256
f1df5b6082d71fc49d11bda6068e45899c743193ac234a1983208ec2e7910f99

SHA512
598fe6404d2c3c04f64071635458ba483770f5e8673cad9c4e1fee18f599e00c0dfb758ca3da47f25062248673d8a88d088141fa10a8f502b02c2624406406c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
f186aa90b6305e6fb6cde900ae41ada7

SHA1
5a7a5d3c94b697ea1ef0a3f3b94a2ba38acada8d

SHA256
3ce70daef20c0a3475afea1e1c99dca81603e0aa19375720fa88a9cce2304bbd

SHA512
5f2742221a172fc9f199d4a402625b8d94acd7b503cdd1d64f2694147a819272a8a44f659f89b7f4a5363899ab7cf806c7b8a362f5e162c5396aedaca5242d5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
3bc22352aef941e11e2c8e01d76858de

SHA1
754d2aad7acf3b1a90ab3d7786a390dbd66dcfff

SHA256
846e4b434f270c78d72e8bdf0ed6a619e57d0c7ee19cb490a304c62c9f36f4f5

SHA512
415626dab1859dc02f9f78db26174c11e3af8a853ead7ee50012f7d7ac227d846c0f53ff2192c252d5ce39ce794ff365238bb18ad637a8bc49b6f94cc54e419f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ffd71e282510d85d2b2b6c570b276270

SHA1
7314bd100ac7fd2718a6e99f1db74b19777cb5e1

SHA256
6a9aab8077f9075c1390dc4abc968d0c8ba4832b815d0399892ba0c98923b803

SHA512
4db161d5abde1679cf8ea350469b708f0bd398cf347a83272062902524b59347c26e06c5392b66836aac294e753e99ee0814cca524e9b5baca2083bd5eaf0f6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
309f014412fb7f5c46afe95260acfcda

SHA1
74ec73fe6005872a1489883ac3ed59b8747eeeaf

SHA256
72f727c18eebd8e06bc47dca339d359582247373592197669d89b6291f88705c

SHA512
2e96c3a1751d4c1b92c520cfb9e8c4342382bb8d385c6acdd4359e5547ae695f22b6e8098330df26200aa7f120196c573e4ee50b464c678f316420d92a901098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f9668e15b0aeed5ce4f80a2fc348aa59

SHA1
447a0b6715e758371f46f54e258ce7d592bae9b5

SHA256
bb2326612b3f7e65983d2e3867a566df0fb2e6229616b6d91186e754e0c1721a

SHA512
d27314bc894d7e6075420633937cb4bb69b4e5767442314f8dbf6563d5e4ad92b26dfd463100019b23b1fe06ea436e9a1973d8e35955dce99350723b0d724beb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
251KB

MD5
e9268164af3989693ed859b1732f4cee

SHA1
838b4dea504a22041c747ec64bb9bc73ff6bfbc1

SHA256
e428886a7a2806460798f3c452d4b68b6adfb9146fe434f748605ef463c2f4bd

SHA512
f9b7cdc3f045ff1d09a068ea226ba4e7a0c03e884c1bd30fe2044fa44287a46bdc58f1970c6ab212e355f9a1da1e1b5fba1d4acf9325b70c23ffa891dce19604

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
94KB

MD5
613656af3c548b29a9b3a76de7c8f7a2

SHA1
efcda0d52dfc437eb5827b4611f101cd038805e8

SHA256
1a1f7b1d28fa047c99a552627f465daaf3edb6c70a6c1cb68e7e596b9299fe33

SHA512
c5dead4ed17784b5820d467a22800b5c3cbf55df849a39f6a9ad4495dce85352bb660c353b0993d90e6aab0daf664ef5932d78252649de31d378c0c1a5eb200a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe587143.TMP
Filesize
83KB

MD5
252ecaf39199f239e75407cc9fa62c06

SHA1
32f45123d71c0e745e961d532f4aac2edbde7626

SHA256
3fa33605bde580015918e1a60806d874ca5279ec5725b334a048f80ea012b440

SHA512
9e6e6635ea1af862e3ff924f052329e04ab9107bbe9aaf8b30385eedffd9fd74c29729dd155c91d1d34d9cc848b5765b0b99de4c360cf61c61fc4fff56a3831b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2362\VCRUNTIME140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2362\_ctypes.pyd
Filesize
120KB

MD5
1635a0c5a72df5ae64072cbb0065aebe

SHA1
c975865208b3369e71e3464bbcc87b65718b2b1f

SHA256
1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

SHA512
6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2362\base_library.zip
Filesize
859KB

MD5
c4989bceb9e7e83078812c9532baeea7

SHA1
aafb66ebdb5edc327d7cb6632eb80742be1ad2eb

SHA256
a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd

SHA512
fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2362\ctypes\__init__.pyc
Filesize
15KB

MD5
79160e9e75230c9260bd2859a908c939

SHA1
4dcd421e020960287bf4879cc88672f90d577fc3

SHA256
4481b454d0176eb8e05d9a9418e6e35c767ffba359e68339c08be490d962bff6

SHA512
b75ab628a69ae5258e0d4f4ffe0803b8c51a6e2365b8fc3072c1a63e8324bd4f2c7c1943e4409bfdd7e80f58e05d57e002afe5be0fdaeb83165cef93d1a48201

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2362\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2362\python3.DLL
Filesize
64KB

MD5
fd4a39e7c1f7f07cf635145a2af0dc3a

SHA1
05292ba14acc978bb195818499a294028ab644bd

SHA256
dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9

SHA512
37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2362\python310.dll
Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2362\ucrtbase.dll
Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\Desktop\CompleteOut.rmi
Filesize
135KB

MD5
8191c8cecb43dfe463100639647c641f

SHA1
65bcedcd8d6535313252330f0e85e02c2c25b382

SHA256
2c2e8f1e5724854f2b28c1f62f98450632fad35517e1a655a15f66747bfbd7ae

SHA512
19dd9e6029ea7f0ebb8074efa5c46ab3cdb35cd88dfb5b6afc08e80d1c1329889e1f0e4bb67773b2a34bcbd687ee31d02a2f03b75471c223560b671b3f58c8ce

Download Submit
C:\Users\Admin\Desktop\CompressApprove.avi
Filesize
142KB

MD5
36a034934f8a2797ffafc68502b9a700

SHA1
6df030d06c9264e62bffab7105137142f54110fe

SHA256
954e5e173a36fa475707faa0978a320c1127a2913e3811e3d9c3230148aae9e9

SHA512
315782a3a77b3695adba762e0c46eb40411b016bfb0df465a80faeec4b6036be9232d555920e31bdb75a8073430df17cb7e44900bf5d8a97ecfb9a3982f9a2e1

Download Submit
C:\Users\Admin\Desktop\CompressDebug.vbs
Filesize
416KB

MD5
460d78f89b4af36aae702e567b6bba79

SHA1
e5aead20e0a60ddd425a319bbde95849646c5be8

SHA256
1ac499a10ed915fed00ed6a8bb18ea146cd749e7832d39477cfcc17dc449effe

SHA512
9f251532bcffcdb2d19e2cf15f501086ea505110f704c78f11d52cf79d7f3be56c3df8fc47bb344f7438fa2a34ff07904718e554132c86cb5226f007a7be3ef6

Download Submit
C:\Users\Admin\Desktop\ConvertToPush.ps1
Filesize
208KB

MD5
ec4d3e7605631aafd02d4c382a188782

SHA1
523134e308c0ec8dc7108e43f1df042a60bd4d7e

SHA256
f115d86f897cb01400494d6f4c6b6d7ad402c3eac3c74cf8da28fc8dd9e0add7

SHA512
c98d2f81818262635f45c3c141c14473343304109974226ea5db563b08c42c0ae0f3fa5139a993639a9f08384e50f8a03546418cddea9e48c508a6bb65275d02

Download Submit
C:\Users\Admin\Desktop\EditRequest.vb
Filesize
303KB

MD5
86ac4ed3991c0363bd8d98a2963c6602

SHA1
5fac464ec6abd93058a58392615506616d69ff76

SHA256
6a7f5bb8859b65544af68772fd4627448cd9a39c826b596ce397b35680b02c94

SHA512
91500f278538826ed0771b36b375596043c16fa3d1d93301451153d3a57f65556458f4e44a968d0ce06c5e4877c9b17ddd311e7a8b242413bd77bee69abb211c

Download Submit
C:\Users\Admin\Desktop\EnterEdit.mpeg
Filesize
178KB

MD5
6535c436647ea6ffbbdd2ff751e4f955

SHA1
c873783c9176b83d2c0533aa086de3516c8deac9

SHA256
af57e4d485f2057882fb12df861c09ca3bf3edfd09c6f33aa7ff611af6e8c66b

SHA512
7f608da6ed6baa1f0c281b3e16784fbc40d0a73d051df8d1e6e75329803221de4b644273ea903e78bae220bc7779bfbfd0bae19b19806b71c88c917bd4d8c4cb

Download Submit
C:\Users\Admin\Desktop\ExpandUnblock.mhtml
Filesize
295KB

MD5
1ad5603ed9f39742fd1baf5982ce8380

SHA1
de833e35f2ad02a335ed9057d8b4027c79e7ad9a

SHA256
625aed254d23c7103693428f02116f01ae1363aef9db1025be0a2d43708c16da

SHA512
5e1effa447a77178f3dfa77dee51bad4d304c5df84bc55311dcf2fc1ba5cdd6ef93c22602b27d68d842de60ac16fe7dc988d0117796d4414ee742005c02bb9fc

Download Submit
C:\Users\Admin\Desktop\ImportLock.edrwx
Filesize
157KB

MD5
15e6f760004e9823f8b52d0562906b03

SHA1
6b73a4d6246206a8365e8b9d8aa58f686c4468d9

SHA256
be388e928c2ab258317f033dadad72d76982555ddae7781aa2d14d4df3535ab3

SHA512
7f73e61b42688c6306a125d0331249203e7abc18cd2dc8c72ed4513fc824d108aa5927d7183d71564aec2844e10f5d7e8831de43afbeac21c9fdac6f4240619e

Download Submit
C:\Users\Admin\Desktop\ImportSearch.ps1
Filesize
127KB

MD5
ac458836074feef7cc2187d2e7ba4fcb

SHA1
add81c3d8126f9ce7998b11dee3d09c5d685658f

SHA256
3a7ad1b5f353aff3e31feb73d226b7c047eae1a4bb448b381c4bd0e13d06c1a9

SHA512
7972039d646ba54a1866fdb8556812c92724960a64b4f43d72520480fd84b7a2e66337d4575911e24473aff043610d1c2d96ff2b986251959b19e447329e351b

Download Submit
C:\Users\Admin\Desktop\ImportUnblock.mpa
Filesize
237KB

MD5
d61c70c94eeb1654214a802432c14565

SHA1
c7f175b36db6802141f566c0cf88b0612c5c083c

SHA256
5b4857f91544075ef442352cf3180a4a33d166d3011fc3b216806b1614260946

SHA512
dbf54fe0c3d96b7876dce4481a06a91520a926ea20792751acc29f166208fd1f658a548da27eac1da0462e66a473019ed11b3e7f9534fa513f4a6a363af5b47d

Download Submit
C:\Users\Admin\Desktop\JoinConvertTo.dwg
Filesize
105KB

MD5
1e434ad6aee6e5e4bfe99f76ad244155

SHA1
5cc239a92f09fa850d77ba2b92e57a689d43c992

SHA256
6bc9e75379ca8bc43ea08e6f4be1e860d6d6f789bb643eec713a38cdb2dd9a95

SHA512
6c1a3ec571ac3dd0045b54dbd16a69a6dec87735f931fdfdbd29243e3bcfb3bd3b9bd8dc437c28e83d322c334b2d002eaf274dd9880e7a35b358e23141274a4d

Download Submit
C:\Users\Admin\Desktop\MergeBlock.cr2
Filesize
288KB

MD5
9eed28e273e1368287d9c5353695273d

SHA1
f75c74fa5dc7e742382d9fc77c56e1fc6010ede1

SHA256
1224a2b7e48ec832cb6697a5231430c2bbd63f274a22dcf1985a35ac12ac9498

SHA512
7b7043a03d1ac0a37146f86d48d7499734ac030e2d2d3236afa389b97f2ee228a98456ec0b05e81e1f6d9c798945d5a698ab9a043ee83ec84bbff078c6c3a32c

Download Submit
C:\Users\Admin\Desktop\MergeSplit.gif
Filesize
200KB

MD5
0a0b0ba74832133c2beac50808cda8fa

SHA1
c18a03300cb32fd479b8020ceaba1b8fece1e144

SHA256
338d41c6a11bd1c2068504148d118f9d068a9f7d28a90ea4c4a76f172cd01eac

SHA512
bef69f3740c73366123e8855bae7b92095e98f6fc2eca8211edc980713d46655d3aecb03d30a48024901be9150f8bf07e13a82da3431dea48486137d677586c1

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
b057cb7d79af0dbb5d3431e39ded5f34

SHA1
c920d4bd1315f27d3b83e5ba9efa209cefb7f92a

SHA256
71297a4225bf2249ad558c8caac28c3e70fe39736ad2e5a0d8e8a3ba75e5f56e

SHA512
eb57356c0deb0b0731b3219d9e487e8e50f0487199f241dd2f3468277bb7f5facfee9297e415c44ade0e368d704d14709c90ab5cbfdeffa89ae6c390ea54006d

Download Submit
C:\Users\Admin\Desktop\MountDisconnect.potm
Filesize
244KB

MD5
dcb40471a4f8ea1cda5366ce0460c454

SHA1
80008bff6913ff432cc6ae47334602623e4b9603

SHA256
462324b39bf2888bc1ddabea37c476e3380c53e010953a3971df8c7487c2d10c

SHA512
d621f366a388abbd3ccda769967b8a76db535a7d4b8489d9adb3f85a444a3ebdfe24cc9f72ec764fd366d8aea62f6f16c156648b4a48e10f199e3c86b771606d

Download Submit
C:\Users\Admin\Desktop\MountSuspend.dwfx
Filesize
266KB

MD5
68aa787c5291600f4f534f8f82f56b36

SHA1
dc94c5344854aa30e802c6592604a5c316755132

SHA256
9950473f0a19fb1647fbfa42b7e0b1dffc9a9339334404db9823492255431cd8

SHA512
e3d73ade04428d91c0d6d3db8354ae5aa49985f7a88a5d8be4bd74df4fc342698d63c3d79fc43be6f5a3bbd1ee0c409c69f00db59cf0d9a72c4083c126f55c2d

Download Submit
C:\Users\Admin\Desktop\OptimizeConvert.mp4
Filesize
215KB

MD5
6b6581359633a2dcc4abd03c2d188873

SHA1
6968143903f10ae3527c498e54bf751c7e75bc46

SHA256
cf97d7951717723d88f4c5bbe7677dc865e4afbddb2c03cb03e31d19d99870d2

SHA512
157e20b9ebf96c2effc76c615ca41198cf130c50e2bb366ca5678d04ec644c4479622b4b0222f59b65165f1a23f8402df939ee9dc923c06dc824737490f5216f

Download Submit
C:\Users\Admin\Desktop\PublishCompress.m4a
Filesize
259KB

MD5
77672a932086edf770b9caed84ccc3b3

SHA1
9535a8fd82cb7f948abc4634a23c945238bcf093

SHA256
d050d63a652e3e8518674d42fd7625ef467ee3f3a7d2cf66b8402ba14ac76be8

SHA512
6f1acaa25974dd6162828698a8428de253fd5b129d48340a602daa9a612199ecff2c9b6ba94c24099c6ff48171b86bac38f0ab51536f52d70303efe76fec6074

Download Submit
C:\Users\Admin\Desktop\RedoRename.cab
Filesize
149KB

MD5
115602d7d5a3636130b3caf49d67f0be

SHA1
9ac04be4c4dc34467968b064af9978bfb52ed872

SHA256
a38ab6eab3db4cd006492454fa214bbabea9f362ece8a7e3832bc96f90135e77

SHA512
629cd0f2609c917f4f2449f6fb55c869eac0c970841ec56d8654240f162f54aac8aed29735ec63c49458ee024239e76c029d9511b41b25bb6af4cdd7f16b75e1

Download Submit
C:\Users\Admin\Desktop\RestartSet.bmp
Filesize
252KB

MD5
b7f671fd16ced18fbeb9e20096c3ff2e

SHA1
0a9fa5a65dfc0117532cc2154fd010181c8d311e

SHA256
95bad4973c8df1aeecca74d854b2f3d86c18ed86284b683d5bd6be7da50e37d1

SHA512
d0985c69fffb3f00b91b9f8ff5c00c86eeef3d046114875db91428e72ae5f8590dec4c27805746bdbae69b850902107ed9027326f353c4188f24d0f3a402faa8

Download Submit
C:\Users\Admin\Desktop\SendMerge.eprtx
Filesize
193KB

MD5
a4ec01f8e22c06261af6c02c6b768434

SHA1
a5aa48ca8d05138daedac8d150b5d8c86ffd36ef

SHA256
c8a1d1122689960277397bc39d715c572f3169e9e6624d6b9191aac4d2e524d6

SHA512
a1db4f93962bf4b8f616df384fbe4b486044c058ee8e62d06bc5d7814fc81768806b201dce85a19cef9b73b65f0b1664c16906123241021cc8fa735b0f2cdbf3

Download Submit
C:\Users\Admin\Desktop\SetUnprotect.asx
Filesize
222KB

MD5
7b77538f11e63a55423876ab1ad9a6fd

SHA1
db1d8b2b266ef853800d2a3122d58b7ef9ab58f6

SHA256
dc566828929e5129c6364ae03e5513a8aa081a08fb77d4769404c3f36ff0045a

SHA512
80fdd35609d202fd012d42d6f20df36080c9688c512d7b9731980cc5c9c73f88ca53783af6789e1e98cdd3532db8a0dc53aaa087f7dfb34a5a8f27a78b93c8aa

Download Submit
C:\Users\Admin\Desktop\SplitJoin.DVR
Filesize
171KB

MD5
45359dc882d179bb49084e9ba35a1134

SHA1
c0c08eb6e79b541a5a797eadaa80647bf938e2cf

SHA256
049b5bbacb254dffcd4f4cc053e5cc627441b09634fd5789a45c59be43891224

SHA512
a90430897f83671c5c36513293894b0009d8407e0c4567e5b6e6c790751df6fabafc08cc4314f4d528182121d75e3bf9e7026c1c4e14ac0e7b7a46be88862300

Download Submit
C:\Users\Admin\Desktop\StopAssert.lnk
Filesize
164KB

MD5
49e60d9b2bfa56178aa1faa64d001d49

SHA1
da491bc9096e21c76177b5a4b017a64c09f1a41f

SHA256
7e464e482d35e42ba3bcf5be9ea3e38db812783fe8a9da35b3ad9ca5c2dfcbe9

SHA512
724db653407cff018520b19d2781047f44112bde60effcc16eea8b6b3a1b994417fae0bd19029168b1060ae53c7dbfe9906d48daeddeab41fc6fe2f09bf2ca7f

Download Submit
C:\Users\Admin\Desktop\SwitchRepair.avi
Filesize
113KB

MD5
003d920f43baf7c78c670361b5653fa2

SHA1
b5b65c56f172558db364ff7894c83dd9a603aad7

SHA256
c5fe717bffa5dcc1359e9f0b65774802bafe8af030eb33b50bcaa6b4d8649f0b

SHA512
346a4d7fa10d862b48542a55d1d75e3ae105ade7a108d35152320fce9fc67d85ceb9d4b4b8da321497b058fa55747ec6667542660c40358ce953a23f5e4c0832

Download Submit
C:\Users\Admin\Desktop\UndoAssert.rle
Filesize
120KB

MD5
04a3f419af390261ccdaa7c1d7a15f6e

SHA1
32f8d4d5923e35272c1e0b0528c54ed385dd5867

SHA256
a34b3935831c1eaa9df759c3e114e04f64b117d3bebfde2672b46d9c708ef5e2

SHA512
dde45e28b5946d73436860cfbdc67903dffdaf2b79e6e402bfde53b640744ada13c487a3f88f43568b5595ac6bcdaa8f02cbd5b0d4cebe202af67a824ba02571

Download Submit
C:\Users\Admin\Desktop\UnpublishConvertTo.midi
Filesize
186KB

MD5
9f577e36bb57bf7b5a69d7c1b267a7da

SHA1
aca4da437ede7b2c6fd43aeeb1d6153e8d44f4d1

SHA256
6fd63db093da9e7add092626cdb079ee3340013932fa90a7bf407eb3de75a4da

SHA512
6749c3cc8d47d88b33f1c63c5e5417acb2f8d1b5ea146a37563e2cc225dfc26f0dca75ef738a3ce284b8afa61e08c275b5c94f1c0207453ae35728bd29276554

Download Submit
C:\Users\Admin\Desktop\UseRepair.mp3
Filesize
230KB

MD5
0c3c78b573cd1dd868a947fb424dafdf

SHA1
6969c6aba5e9a26a8457ee8556981fb2a3537a5f

SHA256
ed8225cd01953b1d5fdf0583c48ea4aff31b1458f3dc4c5158ead35672db66e1

SHA512
60b7fa70a5e300e20c29286883ce4a0b187c960cd6015df4a63f3707a296a1c6268a77fac80d05abb5afd89afeaf1fefa3cee825a3ecbf670ce4f19efef0043c

Download Submit
C:\Users\Admin\Desktop\WaitRegister.DVR-MS
Filesize
273KB

MD5
165cb67ad8d81392b5f19975b1505740

SHA1
1987f95748b9c97d41fb1a5127b7696302b7f1b6

SHA256
a3f96add54a11dfa9fb270accee9139173caf2aef6f030022530cb31d312d3f9

SHA512
98b8b4bf91e207032f993e23e161a0cfbcc8e6690d9c174417ba42f38ced9869e3271d0cae98885d324c63e78e6f10e94733f79a297260bd699ee244919f6963

Download Submit
C:\Users\Admin\Desktop\WriteOpen.mht
Filesize
281KB

MD5
e2140a604b49ef99bca3a238e01245ca

SHA1
5ce941364b29041ea30fa71d1e33c735480b0fe3

SHA256
787a2894c38a1d0541d554fbfe2f450afb8a6ab7e8d19ca77d667ecbf2f9f912

SHA512
3026336c65cb9b9fc84e51da3aea7bea4ea2c946b81f031644a6faa2fd6cb80f36ed41d93c80f95caf21f7a8094ad7192daaee01e9185e3fd8808de4e541ed9c

Download Submit
C:\Users\Admin\Downloads\Späti.zip.crdownload
Filesize
19.7MB

MD5
279b5380804046009e9ccfa6b320f206

SHA1
74598320bd8787f9ad068765960721d2456f469a

SHA256
f18b07e9d78ffdb592d3b62041a3cbd6b9e4591f49a680fd016d7430f24c4bd9

SHA512
e9502caeec3e299c26b4d4c4d52f856ef105a27b0ad71f1a850f53412e1079165f7ab5ec9a07c090f262499eb9897e68254fe7d3be36d1138fcac160d02415b3

Download Submit
C:\Users\Admin\Downloads\Späti.zip:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\s.exe
Filesize
19.9MB

MD5
3f3772337a3b73822f085dbb0cd01900

SHA1
7f1bfc5f2d474c4156311d1ba45b2e210af9379b

SHA256
5deef62742a512f4b374349242938078be3f5158e37973cf731d8423c5c48f0c

SHA512
d3d90adbbaae1e259fb994caeb73e61918473587bb25e0b2710293fa84c30127ae07a391337fea11e3e1443724598460abc263b6cfa6c7b844a9ad8e2dda5aec

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
Filesize
2KB

MD5
3ac1508499220e75195ede2ad51f6e8e

SHA1
160c365144ac2e23e38b94c9d8a54fdbab116bae

SHA256
c1747fad7fbd82dca8ad996845058d3046272fe9624898b81021b0786ac68258

SHA512
fd0a0202b3ac708a8908bef9c4e69d75d53ba49fc87910d27633194a0d70da9e9a115352fab715cc440a6d8fd4bd525fe1cce687b422c45475cd18503db7a0b1

Download Submit
C:\Users\Public\Desktop\Firefox.lnk
Filesize
1000B

MD5
24d995b519793ffb9c3b6a397785427e

SHA1
96bd60edff95f56cb71fec8edb3d2442693e5c71

SHA256
138cd6bfa668e03ccbc7d68f0c3f80eacc9b39fc839a2f0972ff3bdf1c1a4b63

SHA512
5581e7e60e6b67a05cde66d2a5e8d5a97b77dab8b513d8095d8f0840a4ce7f99f149ada5ea784430b9f6f9ca54a3db2f2de467692efc79db6785dca5177e58c2

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk
Filesize
923B

MD5
0429f73d3db7289c11e72601fa635f8d

SHA1
90e28c66f093ac8aa321f0d27f94a775c1e5e13e

SHA256
164fe01facfffa963b983dc1a38c6697daf3251a82e51a8af7c774e49e39019d

SHA512
7712c543d5b845cf55747dd7ef04f551e4ae97723fc919c49ee0fd5ff610cb4a01d3033fb9b897084b95f4b9f1050b6b86d23ba37750ac3420fee308876a0f73

Download Submit
\??\pipe\crashpad_4192_MLKSTLUMEELDQBHU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2168-1952-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1951-0x0000027A9EE00000-0x0000027A9EE01000-memory.dmp

Filesize
4KB

Download
memory/2168-1954-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1956-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1958-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1960-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1962-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1964-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1966-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1968-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1970-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1972-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1974-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1976-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1978-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1980-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1982-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1984-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1986-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1988-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1990-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1992-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1994-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1996-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-1998-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-2000-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-2002-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-2004-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-2006-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-2008-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-2010-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-2012-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download
memory/2168-2014-0x0000027A9EE10000-0x0000027A9EE11000-memory.dmp

Filesize
4KB

Download