60a85ea9008ff6df7260d2a4e325fee8658ed8df5b90b80ae85a4f8c8ce8f9a3

Analysis

max time kernel
812s
max time network
813s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PPClientInstaller.msi
Size

5.5MB
MD5

00980613a95af934dfff12eea77d3bd4
SHA1

8d9869186bf6236dcfc75891879d4afe817534c6
SHA256

60a85ea9008ff6df7260d2a4e325fee8658ed8df5b90b80ae85a4f8c8ce8f9a3
SHA512

ea7801151c02bb67ab32f3aefb7daec4cc9ea10a18df410919059efbaa4c2c5faeb2bcd00d1ba5b830fe480e9f87697e48c40aebee7810e2d584a2729c8bb67e
SSDEEP

98304:OGII8+2hdfoVEZfPqMg0sloe7Rx3LqxHksWFTfSGa3k/1T+P2wG5Nlzp:/12hZ6EN+O+R1qHks8TfS30tT+UN5

Score

7^/10

discovery persistence

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3972	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PPClient = "C:\\Users\\Admin\\SSC_PPClient\\bin\\RunPPClient.bat"	javaw.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	1316	msiexec.exe
10	1316	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57b297.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2A9EBD96-2488-4673-8474-E08F6668695B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB342.tmp	msiexec.exe
File created	C:\Windows\Installer\e57b299.msi	msiexec.exe
File created	C:\Windows\Installer\e57b297.msi	msiexec.exe

Loads dropped DLL 3 IoCs

pid	Process
2336	MsiExec.exe
1600	javaw.exe
1724	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008b5ebddfef16308e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008b5ebddf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008b5ebddf000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8b5ebddf000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008b5ebddf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133583486565674574"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ssczip_auto_file\shell\open\command\ = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -Xmx300m -classpath \"C:\\Users\\Admin\\SSC_PPClient\\SSC_Post_Processor\\SSCPostProc.jar;C:\\Users\\Admin\\SSC_PPClient\\SSC_Post_Processor\\..\\lib\\itext-1.4.3.jar\" com.ssc.mss.pp.PostProcessor \"%1\" %*"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\SSPostProcessor.isInstalled.1.0.9\ = "isInstalled Class"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sscprc_auto_file\shell\open	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\sscprc_auto_file\shell\open	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sscprc_auto_file\shell\open\command	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\.sscprc\ = "sscprc_auto_file"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSPostProcessor.isInstalled.1.0.9\ = "isInstalled Class"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSPostProcessor.isInstalled.1.0.9\CLSID\ = "{5852F5ED-8BF4-11D4-A245-0080C6F74284}"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\1	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ssczip_auto_file\shell	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sscprc	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ssczip_auto_file\shell\open	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sscprc_auto_file\ = "State Street Post Processor File"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\ssczip_auto_file\shell\open\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\sscprc_auto_file	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sscprc_auto_file\shell	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ssczip_auto_file\shell	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	notepad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ssczip_auto_file\EditFlags = 00000100	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	notepad.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
2676	NOTEPAD.EXE
2940	NOTEPAD.EXE
3736	NOTEPAD.EXE

Runs .reg file with regedit 3 IoCs

pid	Process
4732	regedit.exe
2768	regedit.exe
1640	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
548	msiexec.exe
548	msiexec.exe
2180	chrome.exe
2180	chrome.exe
3876	chrome.exe
3876	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3584	notepad.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1316	msiexec.exe
Token: SeSecurityPrivilege	548	msiexec.exe
Token: SeCreateTokenPrivilege	1316	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1316	msiexec.exe
Token: SeLockMemoryPrivilege	1316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1316	msiexec.exe
Token: SeMachineAccountPrivilege	1316	msiexec.exe
Token: SeTcbPrivilege	1316	msiexec.exe
Token: SeSecurityPrivilege	1316	msiexec.exe
Token: SeTakeOwnershipPrivilege	1316	msiexec.exe
Token: SeLoadDriverPrivilege	1316	msiexec.exe
Token: SeSystemProfilePrivilege	1316	msiexec.exe
Token: SeSystemtimePrivilege	1316	msiexec.exe
Token: SeProfSingleProcessPrivilege	1316	msiexec.exe
Token: SeIncBasePriorityPrivilege	1316	msiexec.exe
Token: SeCreatePagefilePrivilege	1316	msiexec.exe
Token: SeCreatePermanentPrivilege	1316	msiexec.exe
Token: SeBackupPrivilege	1316	msiexec.exe
Token: SeRestorePrivilege	1316	msiexec.exe
Token: SeShutdownPrivilege	1316	msiexec.exe
Token: SeDebugPrivilege	1316	msiexec.exe
Token: SeAuditPrivilege	1316	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1316	msiexec.exe
Token: SeChangeNotifyPrivilege	1316	msiexec.exe
Token: SeRemoteShutdownPrivilege	1316	msiexec.exe
Token: SeUndockPrivilege	1316	msiexec.exe
Token: SeSyncAgentPrivilege	1316	msiexec.exe
Token: SeEnableDelegationPrivilege	1316	msiexec.exe
Token: SeManageVolumePrivilege	1316	msiexec.exe
Token: SeImpersonatePrivilege	1316	msiexec.exe
Token: SeCreateGlobalPrivilege	1316	msiexec.exe
Token: SeCreateTokenPrivilege	1316	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1316	msiexec.exe
Token: SeLockMemoryPrivilege	1316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1316	msiexec.exe
Token: SeMachineAccountPrivilege	1316	msiexec.exe
Token: SeTcbPrivilege	1316	msiexec.exe
Token: SeSecurityPrivilege	1316	msiexec.exe
Token: SeTakeOwnershipPrivilege	1316	msiexec.exe
Token: SeLoadDriverPrivilege	1316	msiexec.exe
Token: SeSystemProfilePrivilege	1316	msiexec.exe
Token: SeSystemtimePrivilege	1316	msiexec.exe
Token: SeProfSingleProcessPrivilege	1316	msiexec.exe
Token: SeIncBasePriorityPrivilege	1316	msiexec.exe
Token: SeCreatePagefilePrivilege	1316	msiexec.exe
Token: SeCreatePermanentPrivilege	1316	msiexec.exe
Token: SeBackupPrivilege	1316	msiexec.exe
Token: SeRestorePrivilege	1316	msiexec.exe
Token: SeShutdownPrivilege	1316	msiexec.exe
Token: SeDebugPrivilege	1316	msiexec.exe
Token: SeAuditPrivilege	1316	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1316	msiexec.exe
Token: SeChangeNotifyPrivilege	1316	msiexec.exe
Token: SeRemoteShutdownPrivilege	1316	msiexec.exe
Token: SeUndockPrivilege	1316	msiexec.exe
Token: SeSyncAgentPrivilege	1316	msiexec.exe
Token: SeEnableDelegationPrivilege	1316	msiexec.exe
Token: SeManageVolumePrivilege	1316	msiexec.exe
Token: SeImpersonatePrivilege	1316	msiexec.exe
Token: SeCreateGlobalPrivilege	1316	msiexec.exe
Token: SeCreateTokenPrivilege	1316	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1316	msiexec.exe
Token: SeLockMemoryPrivilege	1316	msiexec.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1316	msiexec.exe
1316	msiexec.exe
1600	javaw.exe
1600	javaw.exe
1600	javaw.exe
3584	notepad.exe
1724	javaw.exe
1724	javaw.exe
1724	javaw.exe
1724	javaw.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
1600	javaw.exe
1600	javaw.exe
1600	javaw.exe
1724	javaw.exe
1724	javaw.exe
1724	javaw.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2440	javaw.exe
2440	javaw.exe
2440	javaw.exe
2440	javaw.exe
1600	javaw.exe
1600	javaw.exe
1600	javaw.exe
1600	javaw.exe
3584	notepad.exe
3584	notepad.exe
3584	notepad.exe
3584	notepad.exe
3584	notepad.exe
1724	javaw.exe
1724	javaw.exe
1724	javaw.exe
1724	javaw.exe
2664	OpenWith.exe
2664	OpenWith.exe
2664	OpenWith.exe
2664	OpenWith.exe
2664	OpenWith.exe
2664	OpenWith.exe
2664	OpenWith.exe
2664	OpenWith.exe
2664	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2336	548	msiexec.exe	101
PID 548 wrote to memory of 2336	548	msiexec.exe	101
PID 548 wrote to memory of 2336	548	msiexec.exe	101
PID 548 wrote to memory of 4412	548	msiexec.exe	108
PID 548 wrote to memory of 4412	548	msiexec.exe	108
PID 548 wrote to memory of 1768	548	msiexec.exe	110
PID 548 wrote to memory of 1768	548	msiexec.exe	110
PID 1768 wrote to memory of 3564	1768	cmd.exe	112
PID 1768 wrote to memory of 3564	1768	cmd.exe	112
PID 3564 wrote to memory of 3972	3564	java.exe	223
PID 3564 wrote to memory of 3972	3564	java.exe	223
PID 1768 wrote to memory of 4032	1768	cmd.exe	142
PID 1768 wrote to memory of 4032	1768	cmd.exe	142
PID 4032 wrote to memory of 2908	4032	cmd.exe	116
PID 4032 wrote to memory of 2908	4032	cmd.exe	116
PID 1768 wrote to memory of 2440	1768	cmd.exe	127
PID 1768 wrote to memory of 2440	1768	cmd.exe	127
PID 2440 wrote to memory of 4376	2440	javaw.exe	128
PID 2440 wrote to memory of 4376	2440	javaw.exe	128
PID 2440 wrote to memory of 2488	2440	javaw.exe	129
PID 2440 wrote to memory of 2488	2440	javaw.exe	129
PID 2440 wrote to memory of 1216	2440	javaw.exe	130
PID 2440 wrote to memory of 1216	2440	javaw.exe	130
PID 2440 wrote to memory of 2052	2440	javaw.exe	132
PID 2440 wrote to memory of 2052	2440	javaw.exe	132
PID 2440 wrote to memory of 620	2440	javaw.exe	134
PID 2440 wrote to memory of 620	2440	javaw.exe	134
PID 2440 wrote to memory of 3476	2440	javaw.exe	138
PID 2440 wrote to memory of 3476	2440	javaw.exe	138
PID 2440 wrote to memory of 5028	2440	javaw.exe	139
PID 2440 wrote to memory of 5028	2440	javaw.exe	139
PID 2440 wrote to memory of 5104	2440	javaw.exe	140
PID 2440 wrote to memory of 5104	2440	javaw.exe	140
PID 2440 wrote to memory of 1732	2440	javaw.exe	143
PID 2440 wrote to memory of 1732	2440	javaw.exe	143
PID 2440 wrote to memory of 1204	2440	javaw.exe	144
PID 2440 wrote to memory of 1204	2440	javaw.exe	144
PID 2440 wrote to memory of 4036	2440	javaw.exe	146
PID 2440 wrote to memory of 4036	2440	javaw.exe	146
PID 2440 wrote to memory of 1668	2440	javaw.exe	147
PID 2440 wrote to memory of 1668	2440	javaw.exe	147
PID 2440 wrote to memory of 2860	2440	javaw.exe	148
PID 2440 wrote to memory of 2860	2440	javaw.exe	148
PID 2440 wrote to memory of 636	2440	javaw.exe	149
PID 2440 wrote to memory of 636	2440	javaw.exe	149
PID 2440 wrote to memory of 880	2440	javaw.exe	150
PID 2440 wrote to memory of 880	2440	javaw.exe	150
PID 2440 wrote to memory of 3280	2440	javaw.exe	151
PID 2440 wrote to memory of 3280	2440	javaw.exe	151
PID 2440 wrote to memory of 464	2440	javaw.exe	153
PID 2440 wrote to memory of 464	2440	javaw.exe	153
PID 2440 wrote to memory of 4144	2440	javaw.exe	154
PID 2440 wrote to memory of 4144	2440	javaw.exe	154
PID 2440 wrote to memory of 3716	2440	javaw.exe	156
PID 2440 wrote to memory of 3716	2440	javaw.exe	156
PID 3716 wrote to memory of 1640	3716	cmd.exe	194
PID 3716 wrote to memory of 1640	3716	cmd.exe	194
PID 2440 wrote to memory of 2968	2440	javaw.exe	133
PID 2440 wrote to memory of 2968	2440	javaw.exe	133
PID 2968 wrote to memory of 4732	2968	cmd.exe	169
PID 2968 wrote to memory of 4732	2968	cmd.exe	169
PID 2440 wrote to memory of 5096	2440	javaw.exe	170
PID 2440 wrote to memory of 5096	2440	javaw.exe	170
PID 5096 wrote to memory of 2768	5096	cmd.exe	172

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PPClientInstaller.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1316

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7871FD9121F29BCAE320F30ACD121C02 C
  2⤵
  - Loads dropped DLL
  PID:2336
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\PPClientInstaller\Install.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -version
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c java -version 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
      java -version
      4⤵
      PID:2908
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    javaw.exe -jar "C:\Users\Admin\AppData\Roaming\PPClientInstaller\\PPClientInstaller.jar"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:4376
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:2488
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2968
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:1216
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:2052
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:620
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:3476
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:5028
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4032
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:5104
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:1732
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:1204
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:4036
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:1668
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:2860
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:636
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:880
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:3280
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:464
  - - C:\Windows\system32\reg.exe
      reg.exe
      4⤵
      PID:4144
  - - C:\Windows\system32\cmd.exe
      cmd.exe /C regedit /S "C:\Users\Admin\SSC_PPClient\lib\tmp.reg"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Windows\regedit.exe
        
        regedit /S "C:\Users\Admin\SSC_PPClient\lib\tmp.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:1640
  - - C:\Windows\system32\cmd.exe
      cmd.exe /C regedit /S "C:\Users\Admin\SSC_PPClient\SSC_Post_Processor\tmp.reg"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\regedit.exe
        
        regedit /S "C:\Users\Admin\SSC_PPClient\SSC_Post_Processor\tmp.reg"
        5⤵
        Modifies registry class
        Runs .reg file with regedit
        
        PID:4732
  - - C:\Windows\system32\cmd.exe
      cmd.exe /C regedit /S "C:\Users\Admin\SSC_PPClient\SSC_Post_Processor\tmp.reg"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Windows\regedit.exe
        
        regedit /S "C:\Users\Admin\SSC_PPClient\SSC_Post_Processor\tmp.reg"
        5⤵
        Modifies registry class
        Runs .reg file with regedit
        
        PID:2768
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Users\Admin\SSC_PPClient\SSC_Post_Processor\\../bin\CreateShortcut.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      PID:832
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\SSC_PPClient\bin\CreateShortcut.vbs"
        5⤵
        
        PID:1972
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Users\Admin\SSC_PPClient\SSC_Post_Processor\\../bin\RunPPClient.bat"
      4⤵
      PID:692
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c java -version 2>&1
        5⤵
        
        PID:376
      - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
        
        java -version
        6⤵
        
        PID:3864
    - - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
        
        javaw -Xmx300m -Dpp.config=..\conf\ppclient.properties -Djava.library.path=..\lib -classpath .;..\lib\commons-httpclient-3.0-rc3.jar;..\lib\commons-codec-1.3.jar;..\lib\commons-logging-api.jar;..\lib\jcifs-1.3.8.jar;..\lib\itext-1.4.3.jar;..\lib\swt.jar;..\lib\PPClient.jar;..\SSC_Post_Processor\SSCPostProc.jar;..\lib\libE2EE_v1.2.jar PPClient
        5⤵
        Adds Run key to start application
        Drops file in Program Files directory
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1600
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:2280
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:4860
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:4960
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:2196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1640
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:2360
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:4416
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:4596
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:864
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:4300
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:4056
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:4972
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:3600
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:4384
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:2332
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:5008
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:3636
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:1080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3972
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:3628
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:1236
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:4104
      - C:\Windows\SYSTEM32\reg.exe
        
        reg.exe
        6⤵
        
        PID:1424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3992

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2428

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\SSC_PPClient\ReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2676

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\SSC_PPClient\bin\hs_err_pid1600.log
1⤵
- Opens file in notepad (likely ransom note)
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\SSC_PPClient\bin\RunPPClient.bat" "
1⤵
PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c java -version 2>&1
  2⤵
  PID:2660
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -version
    3⤵
    PID:5040
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
  javaw -Xmx300m -Dpp.config=..\conf\ppclient.properties -Djava.library.path=..\lib -classpath .;..\lib\commons-httpclient-3.0-rc3.jar;..\lib\commons-codec-1.3.jar;..\lib\commons-logging-api.jar;..\lib\jcifs-1.3.8.jar;..\lib\itext-1.4.3.jar;..\lib\swt.jar;..\lib\PPClient.jar;..\SSC_Post_Processor\SSCPostProc.jar;..\lib\libE2EE_v1.2.jar PPClient
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1724
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:4384
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:1716
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:4584
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:3312
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:4212
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:4224
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:1812
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:2396
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:4924
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:4540
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:2748
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:2220
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:1644
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:1508
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:3252
- - C:\Windows\SYSTEM32\reg.exe
    reg.exe
    3⤵
    PID:2152

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2664
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\SSC_PPClient\conf\ppclient.properties
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xf8,0x120,0x124,0x104,0x128,0x7ff84e1aab58,0x7ff84e1aab68,0x7ff84e1aab78
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:2
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2280 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3232 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4436 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4800 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4888 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5008 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5028 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5004 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3036 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5284 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5360 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4208 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4212 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6068 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5960 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=872 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5648 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:8
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5660 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6024 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5332 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:1
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=2616 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1836,i,12742935393964162493,14719313607683551231,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3876

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b298.rbs

Filesize
8KB

MD5
a541502133a3866f15948faa29a73d7f

SHA1
77e4556cf321b1d9309d075f323aa707d25ca135

SHA256
df0b614184450872483a1fb457586592687bffbde9bb2d304f255b7a3eda5f23

SHA512
81ca21a61767e5da059f514b3ef0a843bdc1ece0117c66c22077e979600045bab27095f0e1b5c8d33c90ba9a4eb29f8081cb5c42e2928af9f6cb52d0f58a57c7

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
2e9e2d0214535c3ce7e97c7a414d47f6

SHA1
1f19034c398c6041462f9ca79c2f3786336da337

SHA256
66d9d8692027d432e52968be8b60e9ac8b0ede68bcfc961c9080cfc84f345d35

SHA512
3183a29b36e86a8d482ae82721d7a4b58d39b30aa42a45c1114dec5a96d18834d26b36b929fab398eacadda4bfc9483e9107fb0450b6c3cd2c50cd9b01ae99f3

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
cbc56c89d92709d609463f0112a047af

SHA1
02ce9a7f702c99cdbe02489f6c4ad48db3affe95

SHA256
b51d9acae57895e139c2069d1b57dd29510f6620da7328a618914c8cbdf14626

SHA512
2f8890a681ca4ebb1f0cff955cee2aac60fd4b00d52237dff1c1f246e31ae32989a0bab2102cf4bcce9c0d7740d7a246ce05168de94fc46dc6fbd95474173528

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
513034f9a6b571d5d031315890677fa5

SHA1
defd2a281b9c1d3b55d16c19aac19ed4713df26f

SHA256
3d7825dedbf1bdc2e609fddc80e400199015221a38c32886db845835e2241e96

SHA512
e1be5e893e6bc4c46d317bf78dcee8c2bab43394dc141b17e8a6d4148c10abe9ff6c124ca779bf144f6dc4fca1e0e334ab6766e0d783dfdb04a0099127c1e233

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
102a1f149c621c0a36e0ef9e62bab285

SHA1
b9f6d5725c30e61f743394786f23c6b9639d2348

SHA256
932b48764655f5a094e585ba6fb68d15862a902f71abf46d03e29141472c071e

SHA512
3122c00ba16d6fc83910127ad3b9ef62bf27c4f826703c40da6b3c933d2ffa2407edc065f3eba790339c3f5c61b1c7cc1ed833c8eb2c5ee4ae6c8f49ee5ffd28

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
174b0f3cb6685f42132c9bd803a670a1

SHA1
dedade94e201d9a0743379c6a2a35ab6b1cdfc09

SHA256
a5db0036be4b409625c7126f019af597cd70029d64fbdd45db13816804998c00

SHA512
4a4775a95fd17539af20e107e7dad30f1f4d7ea1fa520946c1799112676420ae3dd31a775d20f8f57ec0092a9e0045772ae3b2e129a70c4ce220af2f43f914ac

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
f1cb342d3346fd7c2ef61eb61ee23f7b

SHA1
b760a55dc5fe6371ffbeafea4d35ebf1472ebd0a

SHA256
891737cad5823cd8034f4ecc5c2e56bdf7cb037dc2d186e3c37c8b53ad9f2275

SHA512
8c571083acb76809715e18858e421920b6cc15d30689660d5b64fe58ac4194e1a9fb2f0c7d0b97413c4d025cfc66a2db843a90faea2b1ab9df1260c6ce9e1ff1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
ddc479d21c448dfbcf2f85fe1e7534b9

SHA1
d2b4da585aea51fc5fb2c347f7272627ca0baf31

SHA256
bbf9ee059bd896cb6b041ae66e3e04613f8edf7928a75d1798e2a6c4c0d24ae3

SHA512
880337e34f966452886036fe2570e1bef26bd629ff3918a1140240c4d2c54a03034cf313d058d7d25b201860f1882d558eb84a749625156959a95ed63863b46e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_E241BDBAADD09335A51B5C97D3F911B3

Filesize
727B

MD5
4af21687b21f32b5c93de9c9c48e287d

SHA1
a00c812c9ba609725bd5baed90bffa6e2ed0a44f

SHA256
01fd4137773d5fae85df800ffb5aca9d0698f38203a223d1132108f3ba1d5a28

SHA512
678db0cfc43969f5419e8276a885d847cc852fd4021545eaf25d770dc126608a09b2b4f155e88288f7d68d27cbc47e306d44de7998ce092199d014d4fb4b1f56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
5a2f55932a33a33eb8a332f8d9a633c4

SHA1
132a352b4a40c3ed0452c2388119524a9874c9d0

SHA256
666a6c6c02f553c7b188feec8ca392314146ca6dbc1f7dc9050d47d3585837c4

SHA512
be18e8372bb88a4318e65b682c0714b2a9790bd21ae4d6de280351b954c535890071495f2990f4e5807ed2fd83aa9b5f33beefc85035533ec9a3cfe738122be7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
7f7bf10ba5f83da3e9b28240e6898c0d

SHA1
993b19e42eed6dde55c20f6154de7b1eff1dd676

SHA256
6f69080feeb7289304631a939b26dbb9f549539701011b000285d06a36916e4a

SHA512
16930255da4508ddad3efd62f7b4206121754c94dd5587df869a11dd1ec779aaf9a5277d869b8174a78d42f556c1bd7d809142383adbf13746c0adbef7c4fee3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_E241BDBAADD09335A51B5C97D3F911B3

Filesize
404B

MD5
1481ec990d203ce02d7315fd932ffb7c

SHA1
27eb39c6197fd11d0070f298cbe5701069f29e6a

SHA256
e4c1db207f76041b14a08fc432cdfb4f8a0dc6a46742dd0effd6faabc70d93d3

SHA512
3e8f08a8508a6b13d347398239117b75b3c8383411dbaa41806f5bba8c2207bc5e333605b4f144109dde0ed74285630152f3651c0e1ae67701df533aa82d2992

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
e8a353978847890e23ce7485a19fdaab

SHA1
037ab9852d0350763a4224ff120232c24efc4268

SHA256
6d015ebca50c89a1a205dd15d51263335822bf5195e151b4b1a4e92c8af0b49d

SHA512
b2f5dbfda0ddd190a0015117dd3b324132afacfba61ec8d3c860f9f282de7b72c8a6898e05f65d2c2f64fa955ff3344a95b5e97d5b86f87e45093f9e483fa93c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
273d2cbce45caf2ede717d027049f931

SHA1
4d3880a875edaa72dd9cf1b44108c5748cb3dca2

SHA256
37b7d501862fc5714342a23f53d38d130e4f685f0c7302c4cf9df83e20d07154

SHA512
c2dfff0f1d845d68cac6758161653cad51fc47644cb4231bd92dbf4a140b50876312b254f9381a5b8c42723d00e123956706e94c2c41354d36c577c79de8f5ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
58KB

MD5
9b603992d96c764cbd57766940845236

SHA1
4f081f843a1ae0bbd5df265e00826af6c580cfe7

SHA256
520408fec7c6d419184ec68ad3d3f35f452d83bd75546aa5d171ffc7fe72cb2b

SHA512
abd88ee09909c116db1f424f2d1cbc0795dbc855fef81f0587d9a4e1a8d90de693fa72841259cf4a80e0e41d9f3e1f4bf3a78c4801264e3e9c7d9635bb79ccf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
40KB

MD5
5ce7bdeeea547dc5e395554f1de0b179

SHA1
3dba53fa4da7c828a468d17abc09b265b664078a

SHA256
675cd5fdfe3c14504b7af2d1012c921ab0b5af2ab93bf4dfbfe6505cae8b79a9

SHA512
0bf3e39c11cfefbd4de7ec60f2adaacfba14eac0a4bf8e4d2bc80c4cf1e9d173035c068d8488436c4cf9840ae5c7cfccbefddf9d184e60cab78d1043dc3b9c4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
22KB

MD5
8cbb8990a0918fc801753bcbdc920ade

SHA1
c86910736c1bff8aaad54555bf0283792c0da8ae

SHA256
548fe26bb13da8e9c9a4461dd19d9191f038986b8ef62041757cc0f8527d125c

SHA512
0feb3497096fe6e2db5ce52e44d8489e019b2066faf6c9796f9441495ce5db940516c6421a3c2406c95d2de05d32f7e5640f509d7e56c364ff2506d700b604e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
20KB

MD5
636b6c59c9c6960f2f607b0203414c53

SHA1
80cb4c8e0fdf5a35e4e83cd34dd1c4e5061d14aa

SHA256
c75300efc96b9bda705eded95c795f2cee70c481c5cf2bd77dc649dc330ca478

SHA512
b00f352a6c4d6f48331d548207fd5573b34a0d01dab23c887a2a461ea3ce2918eded6a07c8af0c11a31d2699faeb99de020b5947afd846e80ab2e11178cadfa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
302KB

MD5
079af0e2936ccb99b391ddc0bbb73dcb

SHA1
7237d9cf55f177702066a28a4dde1e4c7e8ab576

SHA256
41ab0f707a2bfab8133ccdfcdab52282f5f79e5751f43a264805451c7bb95fb8

SHA512
0dc66e3ea9fe00ebdba8636f563842e4170f21fe3dadd57ba59cab416ca3326dc887332644b0ec47cf0911d7396557beb420908d3e90a5ea7830efc4f0a482fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
16KB

MD5
adaac9e8bb008cb956d74b002bef70de

SHA1
cf9e9136c35317db28b387e6dc2a4855f8f3d494

SHA256
525b335ae04847782266d306b6b12b56d6fbf493d4bb316afb22cd6fb6ff3749

SHA512
d9fd0fe9776d14445b392a93c068ba69df03031008dba4928231a3d2a4e1518becbd63122c3ff85bbcddf7d0d41f388cae5985c25a9b71a682cf52836eed5454

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
87KB

MD5
dc5e7f18c8d36ac1d3d4753a87c98d0a

SHA1
c8e1c8b386dc5b7a9184c763c88d19a346eb3342

SHA256
f7f6a5894f1d19ddad6fa392b2ece2c5e578cbf7da4ea805b6885eb6985b6e3d

SHA512
6cb4f4426f559c06190df97229c05a436820d21498350ac9f118a5625758435171418a022ed523bae46e668f9f8ea871feab6aff58ad2740b67a30f196d65516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
307KB

MD5
ed533866b5c83114c7dddbcbc2288b19

SHA1
a418a8ba73bbcfa8c131c426ab836d78457afa9b

SHA256
10d48331f5b3c7362ca357b00c17ac4863ad35199b13b0eceb0962c8c1ad7dc9

SHA512
f0653d74393bf0b78685cbbdacd1e8180034d51bdefc6af8e0a3a7a4b913a63b20a2c72093f82daf9d99c40efd65ab28d916d3e439087552be4dd7f8a79c6f4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
56KB

MD5
81cd855ccf19c3bff713b69247d81ccc

SHA1
46b94f84c0524d8031f6d1154ae81133a68e0d81

SHA256
d1dbdf0eed8ea57afecf63475ec2fab683551db9b84c56b00eca6c51db0b901b

SHA512
fbd824c40e8cd1e5405d7145e22cf681f644224428caa3a0142a3164dc24107394b7fa5cf5e7f791685b3cbe16368c0fcd9b0bd7481a177d63cb4ceffee5c7f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
308KB

MD5
07a48beb92b401297a76ff9f6aedd0ed

SHA1
431007da316de60d85174aeec9b8389b5c73e7d6

SHA256
e8cbc2b88bc4268237ff5e251776d3c54edcb14e015a9e66e4883bde4b55f13f

SHA512
703756e6869bf5d6f2d2c6800216979746c351160a7adbdb0e31a0adedc3bc88c7e4d25176797ca9b3db535a93be93437363a71f03ca89ffe438c70b113ae7e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
308KB

MD5
275bfea5dc74c33f51916fee80feae67

SHA1
48747b7a60086f97af0d373febcbd1f1bee87f17

SHA256
790c108befe859dac2ddbd20af3fbb6917c601b3d544c8a05761519f3b5508fe

SHA512
0b82f93805dff2769bad25a503c6264094df6f403a636b039a8917aa2a1580b0c70c70ff4eb5135dda83aff0c3092e2a707216920685162ef52b395f82a86c11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
141KB

MD5
fbd6ec73c494c3d280d96edae2d75fc6

SHA1
29611ee2aa620d39106e8fc2081db0a5c9ca37a6

SHA256
34086c6a19e67e8f46dfda5811cd02702dfe8a109c11bf8447f722e8bd6a0002

SHA512
15bf17f44252b7a14d81995c8f645985519890d5d3b1fb5637f72e2f481a720649e1571c2b85c125fce43f209d0a6079c240399d7eb7fbfee1f021901decb210

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3e9e8ca79a7ba648e81ef98e8b6fbe49

SHA1
004dd39ec3c9da41ba4afeb8e4f7e990c2f1cbe7

SHA256
6bafae49636ede048fee1b1f8ee06abded23de782b841d1cbfff2e9d035fdaf6

SHA512
654aee5c8065235e30518f945da374c4df07653f18e0d504b9cb1832e25ded7ad8f20303f8370b685cecfd8f855d0c236b4739e1d51f95d3e0487c68bb5718f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
fd6a45a363b1cc14e20a9b482c4ee707

SHA1
1ad11ba45d4f1b688ae405fe094f700cda55f87c

SHA256
42729e8f15ab3104e8296fe8609a6b90ae9acef2193c12fdfe8f794f8154cd17

SHA512
f6e67f2a1d33cbbbbcf296c1b34156b3caa6eb2a05567db95b8a21149b57c1973c05f644892abde6fdb15ac0d1f58d1f2617ef9ca7f0a4d83ad5053ddbe31b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f244c90c1e74538fd0e40dab95622e6f

SHA1
b86b622b1b39aef0739c507cab38def29003b73f

SHA256
d07bd92460bb8e25ed96ad0c7e0725956478d62e60c18b3f6224359f1c77f153

SHA512
5d9fe5f4ed0e432438d06157e5296880605e8d275ac81707849b5349d6179d4c2c54aaee080cb3be590fb274849584034f1abb047289d68e29d9afc9a7a34324

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
93c8c455239d6a554800f334c685ea8f

SHA1
ec8b4d9f198c1fdea55d805e730ffbb145b99ef2

SHA256
a896ea6c81e18bf309809905f8caecf750d7365b46328ff9fd3186369faf31ba

SHA512
6727e3fc3ac7ad1ef38a840dbf78a44f0cb38aa8b596a78fdfaff4ee209236fe66a400e5bce6d44112062ed1c092a6e705cf2dd17fa255ee1e73882218d88547

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
91cf5bc8cd027293b41fa419d10c6257

SHA1
364437af21254c8b325cd8989f36e88345d13475

SHA256
556004c1b2673d3a518e6da7ef4ea28817dfad98c52f9576c7b14177b8380009

SHA512
f5205673d7f571eeaf0c176753ef4efff7b4b868b0e813385ce4ac0be23c0dd4c72a1bef4b29045eeb4dc66fc173a8d6240cf939e47a9f7996a253c4e77d0227

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
c599db2ed64922e33dcea3bf86ab0d90

SHA1
39e0aaee76f3895af12e5f4057fa3d3143725432

SHA256
ef42c6fe03e71ed63816e60cba7110911a9369f4adb74e71b08dfca46fb98dc8

SHA512
7867658ceef02dad0159a296d36eef8b31a612106dfc6544cb712ffecded8f17fc8f1c916099224248c26b4f595a8508be0c9a5b909658da58fbeca252976343

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
18c9de29105cf422f967ed1435cec503

SHA1
66be307e204c2629e4941b801fa90dc4ce0d0a48

SHA256
5f4c2569276bd07702e22b21739e811a2f08347e2484aba2a9eb05c7828ae3ca

SHA512
34a0faaa56ebac078bdc3075508b64f8d46d1574ff701beec9cfb0fd24514b4ca3573d4fdc319050bd88e98de87ab348092914f17f088e64b9474658af94ccac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fb25a4b75f043b720b931cd581241218

SHA1
82dab73f0c54ee0105ee4b546614ab351d568112

SHA256
1db41801538ec511ff4e6c73dcdbda74bd44e5dcf34c975bdf6024f4710237a5

SHA512
66b58cbaf0c9c8a6ae4ff628f8efaf863d8d7311a4233b58cb80e6d248d5078b789fce0a8befe9d6b6f52905afaacd789e20dd57b9681b368bd95944b4cf9364

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
46cc5167a6b86f8e9f31f5bea17c0e47

SHA1
8d36e0d6a73574548c03cebafd06b29c4395b042

SHA256
592f1de1a652d9c4a7566cd279e385386ac2286b046126d30a7a4599c7191c03

SHA512
457ae74806b7f87df3a6114c3cf2c2db04c9c5fe8c082bc2b4cb8e3cafe91a4ac8583d2a817dd184764a0c6d85171f87863f8b05d8272e76e55c0b83a6f4bf87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
32b7b2456af8325bbeb67aeebc018cf5

SHA1
539c5571a46e50dabbb3c78e35b813009593fa12

SHA256
ef5cb82507a4440ea730e2c6e142e258760c8c50cc7ba4114fc284cbf2051eb5

SHA512
fdb21f4e75e7109916c2e76af70790d71e2e94f78e2f28c91f48c7fd3f4ec3e476000454740147adef512f542b3ca2a84ba38df27c4164729fd8bbe442b4fece

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
79787157d5eec4c60e8e96fb7746a6cd

SHA1
18c9593239e805664c084f36a50fc6748f4ef541

SHA256
c75aeb226d7ecbfb119bd2567818349948d0c12f3af648f4ae651a602ca4a675

SHA512
ea6ba360f8938c554ddae3417a9032b93ce5cf8bdf918a4559a175bb25376146b2c673a47b34371bb346b570829210112b87ff770f83677f51a86bf811939a38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
54e795d6fc1e703f3e5645343ddfc89c

SHA1
d4792206c6caeb8e831e0458c9c442d78d7bdf1b

SHA256
d73f08ef5dff472c0405ba82b560b6ebcccaf36f32bdde0eeb58b4fef7dcb375

SHA512
3dd456c29a693e9e8bfb0cf461bf853f3afb8da3d0a0e2aafdb7a4e0292e03facc1ec10d5fbccccad02e77b261d716c7773cc4d1397883d1b3bd58e8e2d17261

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b5039f2448f9dc6add939c9efb196503

SHA1
6b44bc4710be268e99adeb26b02e5537313d73dd

SHA256
e166e2267c398308286843ecd629ecf683da86ef2744e4a39ea260f8faed45b3

SHA512
99597b96651493b70c664be3a521400c481b792b893d2ee1cb21c733d75f3285918f8c2374a54c910c5eced39bc541a2322e0cbd8568ff7718cb3eb5418cff2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
030cd3d000670a1dd561c5717ff5f552

SHA1
c2edd11082fef1a9bda12fe6fac2c6a343897927

SHA256
18fe8015cf9f4ecb315681afb86fe51ca326a45937770948928b150c88684c00

SHA512
9fed4684c9503c58eec336af31a3f62d19137b8492c27b0693435847c0812fe238b0a400825dca9ddebcde3d5ab4f2588d524c4cf22376f183c3a870e21322de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4f088270b8f9d2c33a9a3c7be84b8cc7

SHA1
cd366ed28fa8f5a33cbcdcc07b24acbbdd68071d

SHA256
00f47792caa0884617a71464f2c55103626f42bde733758fb466c42e0a59564f

SHA512
634ca8272abed68cb95974e0b0c66e4a920538e4c94617e3b7a479a1d460bc55fad78955e0df7a5176a11b6be9deec81b89014dbeff3f37a3f1f9781d90cf281

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a857150a68e81ef440b3b48813d3b759

SHA1
001d4861622fc24342b7fff1cc7d7d84a6267d52

SHA256
5ea29d8328a3b4e2e3fbf7b840051dcef4af238eb264dc8c6a20d2611b0b4d41

SHA512
911f40e02033027b64964d726ddb1cd6ca727d9be495258039a21b1b93f8c5c34b3c39d8911a8cab1fbbc72c424728fefafba99d20a96d0ab3f9907f3bd9355f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bcd7f9a96207fd7e8df6bff080e039a6

SHA1
c6c521599465917d5243d205549501554b8158f5

SHA256
c7c081fa90f28913ef254ca43519d3619bddbe78ec16cb7b09c48b09b3c753f2

SHA512
dc0fb7c0936457d8b2f9e10b8693f0f19c6cef6d1602baaed405ba11f57d09e8cf398af2ea9e8651223051afa33d4fc818dc428ec9cd816fa1f94b2b91e06304

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
0074107f3d5d22ec8f70a77dfe662636

SHA1
906d61ba4f3c53d42b5ff0b4b7f59b40c1a9964b

SHA256
3974a725830ac54ff369dcaed5aa0381569bce0ee7fd36b7cb972b9040d2523d

SHA512
d9789ca4d061f609e18b6de76e8f280a15e66740c4cd4de0733d285701867222fb0ed02ca834f1bca21147e51c96c7c8976a4eab2e0bb91a85ad27742543c277

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
5a14e05b3107ad5fbd3868e92a7968ee

SHA1
ca1b1d603522e4b9f41b5c0a3326f1c65cdd15d7

SHA256
b67692d8d4f903492131a99bea17abce1f717b90cfa793709da72525bdb73ace

SHA512
8c90aa445da5d4d769d9e72a2786c902970e537aa166990a6e9f86022ee69f8866181159366cbaf13df9ee07f54e92f8cffeee23355929357f4035c530ae7d23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
d80c0fa1bd3a747ceea8f2ebf8ff4a80

SHA1
853352f66121d53bfce02ac2304907cdc6c9f40a

SHA256
145378997a6600d880dd26420ed9db780af985686a0bfca7bf3a4ca5ef1fe497

SHA512
d53cde35ec2817e5c77355317ef973e83a3c659e13b47c5bdd4555ae5096459c23d7f0675e8a6747dfd907862939117bcbd4a4df03bef0217f9231faa5b98a4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
5befc93ee611932605821ca270dcd422

SHA1
536f004b5accec59af72cc753ed8695195c1702a

SHA256
50abf09c284e9e823bf7644cc3bff65ef540bb048622fcb279c56376bc0e9fa3

SHA512
29e2ee21d2c30bbdfa81970b18b2d01d4f39182393598aba9c4136323d11df53eb5a014b340ee7f73da8e621b8f3a86b68203b96e43ec9c63e64835e859e938b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
b2e2bb56901656e9838bc3d9d19e2a27

SHA1
c88ecdcd4a9f8e51cf8155cda346ad690ca27633

SHA256
77cf931257fc4ecda0805cb0877a3ca08ea724b07ddf070faab2da0e1ff43c92

SHA512
b4be9481fa57c459c3553476b0faeb663dd89f14b79d65a7fc22a6c20d3ab7e084b3f912486161a1a31fddc8791669c89af60aa7d9d5be3b51a9422fee121e8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
85217dbd9f7fecb6db93e0faaa6e6588

SHA1
b2ae5d863aa379fb95318e6b594b191f2ac0f55c

SHA256
c695de63689f65e35ce18031c4fab6d302dd22723a82e4916bed5eef4cab91e8

SHA512
fb331ab3e49455383c721cbac765d4417a6a5f1190f9e518705bd1276adb4301c68e59750c5b371967d4d41285c1cf573322b1622a309a055d967f4800eb5546

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8D7B.tmp

Filesize
74KB

MD5
bb373102912c77f80a4bf5089391f1b7

SHA1
e5b67e597690af18e8f5271520946f856f86750a

SHA256
0fd225cb064e60e864a001c687274abb3dc774f1820f2afefc6b14b838e939f2

SHA512
0133669aa262f5392121f44616978c178dd7c7c63766dc0f25421b2616f6b301936b97759c453f537e600bdee3ea940c4d29a9d5b7acac20e69b7c4ba1b39dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\swtlib-64\swt-win32-3655.dll

Filesize
577KB

MD5
2a39b7812427207ed970d3784e2f1804

SHA1
4e849aba806dfa11f131069aedaca1c12e354e3b

SHA256
8a86c01cc869c539a49af98d9066c590d4f1e1fe4a243972c8823af769a81c77

SHA512
94d59ff43c0b09d1222cde18ab7a706d93b255a3406c1441d3c8f61de3d6081fafb782022139d3b3f0bb75fa57f33d45adcc1f2aecf28ab27e5ff7e8e36437a3

Download Submit
C:\Users\Admin\AppData\Roaming\PPClientInstaller\Install.bat

Filesize
1KB

MD5
44972c406eee830c152ff39189201db6

SHA1
4d121abd15769358ca7d54f2eac2da5584bcd97f

SHA256
44632019c05c4adbed38cd68a9de20c103fb39c6460140f28fdf5b0db7218e66

SHA512
0c216b7ea7fb544c7e4aa7d7f89f6a5725b8085fdc4197620be5f8475791ff90b030349929c1c34d14f51081da577953371de9e5cf4bd3b1ad412afe6f1dbbcb

Download Submit
C:\Users\Admin\AppData\Roaming\PPClientInstaller\PPClientInstaller.jar

Filesize
5.2MB

MD5
25e5f0586e25e4459838f0fc9ba46a52

SHA1
0c3c24cebc6aaec7146c72bc4e21d4009058adef

SHA256
4be4853f8bb4951d1addc28559feda2ab834ac17514fea787887a5f058c14b71

SHA512
9e965f30ca3f12a1678637a91e56602c3617edf3ba0a6d1a30d1d9c28ae3afab701a88100c38dcc0932ee5b790e85380d5f84f45fad6578254fd0de7e8bedee9

Download Submit
C:\Users\Admin\SSC_PPClient\ReadMe.txt

Filesize
817B

MD5
f2d7aa405791b9cbb8f79f5b967b121d

SHA1
bac9bdcc9fa396e589b74f3d0f6e96256e8a4be5

SHA256
b63fecd60fcdca86345e5e3246ccd83de9a7797ab22337d87b337449c17dca8a

SHA512
bec0d2a24817a8455d3ff196e503d7568cb5381bcb954bc1520f566517cdf9a11401a7fd0967a504c4cc550b80317bc628e8eca00d1887473d7e4afcad55d2be

Download Submit
C:\Users\Admin\SSC_PPClient\SSC_Post_Processor\SSCPostProc.jar

Filesize
22KB

MD5
d5df68ff85b4f90dc1267e10a96f5ce4

SHA1
bee3013d93fb1b45277d78fb543f78857490ca16

SHA256
4fd620d8a4b458ed673417502b889fb3327280c676c58f34a2a59645fc06ed2c

SHA512
d8cdc69997a169197121be3029893474d7911fdbfc79ce170b33b18abfdda9c8037cebda415ea2803eb87e266d39548c3ba6ed3e2c7dbb3cb19a45b7b7cca92d

Download Submit
C:\Users\Admin\SSC_PPClient\SSC_Post_Processor\tmp.reg

Filesize
2KB

MD5
de7f275b3d6179789d9e1427a0873ef6

SHA1
a76e76fe8d848672088226aee079453a94fa7f61

SHA256
a4cca81e14435170fb32a779d517a6d160b989ffacce53d820bf44fd7189136e

SHA512
5c3d6c70c855f2b46a434da717ab9685120afe742b454b58ab91409683a5037953277da20805e87e390812e04b428ba74062b8c1320b3a34afdc4caa83a34096

Download Submit
C:\Users\Admin\SSC_PPClient\SSC_Post_Processor\tmp.reg

Filesize
448B

MD5
d13bdc4bdc6c3b1a26761adcc9c30cc6

SHA1
5c7622b49f6744999cdaf79a9d621b590dd2c27e

SHA256
0fd661e17bcf5ea22f4e5f62da38cc5f6be58af67360d3475804791c3ebdf4f1

SHA512
7340a92a750c501e1b6f7a41707d7b27cddc71a7287adb270b97998d966cb611dabc7038936bdf631d7a3d704bc166d9cbe073103937059dae68e6ceb8decef8

Download Submit
C:\Users\Admin\SSC_PPClient\bin\CreateShortcut.vbs

Filesize
429B

MD5
5584f9842a172925be7f304aeb91b3ae

SHA1
ebf18fe961805ae63f246b4782a267b47fb31730

SHA256
28182970892b6be3b51685580dd3c8462520c1ef7e8ca8b3f9e5799ea4696464

SHA512
6e4fd69d3d3b4103a8ce8efad593a90f202e3e1a6b9e33e795cf2b20d943faf4a536d05652e4eaadc7dd7b6acff1c03eb515edbf1b33fa695d0f22e1cafbd375

Download Submit
C:\Users\Admin\SSC_PPClient\bin\RunPPClient.bat

Filesize
1KB

MD5
5ff43f5b9a7c66a2cb8d7125fceea71b

SHA1
9a8230290c9673e470b4988901ccafa47fe1f9c0

SHA256
52945fd101775f3a52900914bebf973449c8058fa4fd87aeca229480d1a79444

SHA512
3226627a3c368fbf2b4e861947be811ce4c096eb4239d470b64c57b7d972cba440481c3302b510f8bb5e17a316d9f3f3070501bef0e7c0066306024911931198

Download Submit
C:\Users\Admin\SSC_PPClient\bin\hs_err_pid1600.log

Filesize
19KB

MD5
0bd629426df3b6d4d470748505316345

SHA1
0e8707c98babbce29af1b5eb3b02996c49b8e71f

SHA256
555105aba114577d4f9b3150534d45e61cb3b1e4cb66b5ffc7308f9834e303f6

SHA512
cec2d1a91d8cc20fc7a78c57367fdddd8e18766b36925ad7a05d938a801f234b09707bb67d68eb3bc6aec040fdde2fe8bc41ff9261fef2eccedf28f1b419de5b

Download Submit
C:\Users\Admin\SSC_PPClient\bin\mySTT.ico

Filesize
3KB

MD5
e60db5076d8c4d288ec7248359c13af6

SHA1
473e77b1e997f6e0579687ecb5b85b370b8b6179

SHA256
46353f94a33c415728dc357257d455e14444937999e6c558ccf4de00e1c1e53b

SHA512
27368b39c4144953c0e62486f1a5f4d7753dc9b434883360b3e299da3f6bbcac16ba140792e94842df61084926f33e21ba9a83fb1791e36c67fae2912931e34a

Download Submit
C:\Users\Admin\SSC_PPClient\conf\ppclient.properties

Filesize
334B

MD5
4a52f313db2db09fe2912acd99626e8f

SHA1
ce5c6906d6aec7630bc3de7eaed5895de7e6b84a

SHA256
8450f190551b281839976f7646921dfe2a81e54ea2cc5a5b750613039ebc9a74

SHA512
e85e72f4c0c33946a13e95be43329a8ee6db1d4dc4ac2b2c265945d5d169d708ff88c3636c5f433b2d6e703dadf8506dd23b396ffcd835b0b353a1352af5063e

Download Submit
C:\Users\Admin\SSC_PPClient\lib\PPClient.jar

Filesize
144KB

MD5
88c14cd7d300d7543ed9c5da42f38598

SHA1
77cf966b44a137af0a7b3322467b8ae950fe3f8f

SHA256
5e98cc081d2fc9bd296954db7975130bea1428427ffeaab3fcf7abaaea2f0f75

SHA512
9db9c824b7c024ab453865be30b0b2afd23b1d2a6ba42d980c3b2fe8e56f9a70bbcb832537d8ee70b85bb52fbb844dbbc6d3e7edd9d98a0e3323b8dc06b11b85

Download Submit
C:\Users\Admin\SSC_PPClient\lib\commons-codec-1.3.jar

Filesize
45KB

MD5
8e149c1053741c03736a52df83974dcc

SHA1
fd32786786e2adb664d5ecc965da47629dca14ba

SHA256
1bafd2ece2e88db4cdf835a7f8f0de65fab5b1147977a5dcc59b7c1b8c6f5080

SHA512
acea0a510bb701c7bae3cb41b5c61a93e72b99c8441e5081269856df906fcc6de1977984f229eb78d0dc1601492a36d9992611c1ff5b8ed3f7b96294d67ecc29

Download Submit
C:\Users\Admin\SSC_PPClient\lib\commons-httpclient-3.0-rc3.jar

Filesize
297KB

MD5
3daa51ba641899ea097325d21483aa63

SHA1
06542bbceff3a7b75ccd25adb371309a463cf011

SHA256
537cf50ff9e90b25afc54649e69d26e90bc6ddb769205900a42a8a04475839f3

SHA512
0ec61946328b528b37ea76d1a1d37c9c09e290cd776938153699d2d9bcb4b2dde73d3fc6e7509a854e4e252eefed055fd4bfd4eb4136302b48c2262dbd44c345

Download Submit
C:\Users\Admin\SSC_PPClient\lib\commons-logging-api.jar

Filesize
25KB

MD5
0b98e0895cd4e66c3eb4c511de112163

SHA1
544f72427e94a5c55b65a9b81c55c54059b4f993

SHA256
e168814e138fd3c00ba5e6dd4db0cf64896dfaa0f3a890d0d66652088fd01816

SHA512
4ad176095573cd2de1cbcb6cecf430822cfad198e10aa1eadbf4e8f4c204252aa15fb0dc3bdc3442710627745a04f5ac67223f2237abc13de9f669efc3ef4297

Download Submit
C:\Users\Admin\SSC_PPClient\lib\itext-1.4.3.jar

Filesize
1.3MB

MD5
89a2db0f9313fd95f6daf8f910022d5a

SHA1
e5743e2643cbb90eda105cf514f80dd1c6d6efb7

SHA256
da0a39e27e56db6f08907b36dbd82a0a77c3ba7100955f6de49d2ae09c69a1b5

SHA512
53b8d88abe446ba0e71edbcd4a57ec11372da73cc567ab6521c3808ad62033388f2ef8999dc2788c24266ef13d9fa02f3ab6c4cd9097de56bd74aba43035404c

Download Submit
C:\Users\Admin\SSC_PPClient\lib\jcifs-1.3.8.jar

Filesize
382KB

MD5
47cc709ef21f9c3a31640cdfe311e9a9

SHA1
a5dfda7b57d321c0ef995f436747f467385d4957

SHA256
27547c7cae6554bd9b3fdd677761972e2c897364cea7932659e7eac3e00a5d11

SHA512
194392bbbae7785d157e964c8889b12af2e9901945837e69331a8d6d8ca45e49b18ab4806932373ff31c4f69736139e36a1fe98f048727e3be3d9de6376840ad

Download Submit
C:\Users\Admin\SSC_PPClient\lib\libE2EE_v1.2.jar

Filesize
47KB

MD5
e36cd9f9135cb450513c1910eb8d3ade

SHA1
a2eb5892ae6974e44ab88fa141d935978f184a41

SHA256
e4b64eaf9ce319c6631071845c105822474d865311449d52f376782fd5d678ea

SHA512
5589df885ab50505a9582d3bf827c0c1c2f1aaa6e713ead403b2af63c961a76f570724bbb91e7bb6ed834b0f8fc83c2720cfca330001697a36bff541e24d3d23

Download Submit
C:\Users\Admin\SSC_PPClient\lib\swt.jar

Filesize
1.7MB

MD5
047fe359df8b92d86af8096d8ceaac25

SHA1
f7842d7b9dfafd552711a6e38cb3280bbec52fd9

SHA256
d29110bd12c1e653d7a36bafd8218572df2ff90774d137bd9cc096a1b753ba40

SHA512
6c5dd8162c3fd0e6b482520e93899e869c659d3e24a780567bebdd4f637c9286ec115a86996f6f3665a0c289d57efa5eadaf874208225f4f43fda20e6ef354c4

Download Submit
C:\Users\Admin\SSC_PPClient\lib\tmp.reg

Filesize
302B

MD5
5c77f58b4fb586845e7ccfd1cabbee71

SHA1
88a9092b61dc771c6d2aca9d7f9580db80c3bb33

SHA256
7121801103541b4313e161794550e18e9a6a943dfdfbeeb146287db8dcb0bd6a

SHA512
816a43b5f67bc551f81499a83b534d31cadc570c7a007e55973f862baf5af2e48f83b9dbce38f7bdb641bd516099d15da92ed45321744d5ca610b33a45df2a5e

Download Submit
C:\Windows\Installer\e57b297.msi

Filesize
5.5MB

MD5
00980613a95af934dfff12eea77d3bd4

SHA1
8d9869186bf6236dcfc75891879d4afe817534c6

SHA256
60a85ea9008ff6df7260d2a4e325fee8658ed8df5b90b80ae85a4f8c8ce8f9a3

SHA512
ea7801151c02bb67ab32f3aefb7daec4cc9ea10a18df410919059efbaa4c2c5faeb2bcd00d1ba5b830fe480e9f87697e48c40aebee7810e2d584a2729c8bb67e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
59b3c81c9bee8b3806f672c5482a42dc

SHA1
7dd8516173fda3ec1bc63ca20e192116a04568ab

SHA256
be1537fdac78ac9b52fb9a24e1d93d495bde2916552ed49d2009a635256f1557

SHA512
6b192a47fba30f9df0059453a337cfc9bbfbc359d46af75a4d0a125780607740e2f0d33273d03214ad681e7bedbeecec296b61e4d82f89719b4ba5153c443e19

Download Submit
\??\Volume{dfbd5e8b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{840638d1-03c0-44b4-8b84-798f3ce29d82}_OnDiskSnapshotProp

Filesize
6KB

MD5
b8045e8fe1871ecc31d488526929d329

SHA1
dc82c1dab06b410345f5f3bc03ee3e5aa17e3896

SHA256
f068d4d7c9dc15609102880678ba0187c253f7291dd28ba399b4f84910abf25a

SHA512
8b5d032e5706a421980f8c5adec8ad6caa0d109e2ffd3e7a5d6f05eb2eeff333a64a42901a91dff0ab3c723411bad5e3f4418c7513dac193483795cd6fd8b59c

Download Submit
memory/1600-164-0x00000219BDA50000-0x00000219BEA50000-memory.dmp

Filesize
16.0MB

Download
memory/1600-182-0x00000219BC180000-0x00000219BC181000-memory.dmp

Filesize
4KB

Download
memory/1600-206-0x00000219BDA50000-0x00000219BEA50000-memory.dmp

Filesize
16.0MB

Download
memory/1600-199-0x00000219BDA50000-0x00000219BEA50000-memory.dmp

Filesize
16.0MB

Download
memory/1600-196-0x00000219BDA50000-0x00000219BEA50000-memory.dmp

Filesize
16.0MB

Download
memory/1600-197-0x00000219BC180000-0x00000219BC181000-memory.dmp

Filesize
4KB

Download
memory/1600-203-0x00000219BDA50000-0x00000219BEA50000-memory.dmp

Filesize
16.0MB

Download
memory/1600-202-0x00000219BDD00000-0x00000219BDD10000-memory.dmp

Filesize
64KB

Download
memory/1600-201-0x00000219BDCD0000-0x00000219BDCE0000-memory.dmp

Filesize
64KB

Download
memory/1724-269-0x000002358B6A0000-0x000002358C6A0000-memory.dmp

Filesize
16.0MB

Download
memory/1724-244-0x000002358B680000-0x000002358B681000-memory.dmp

Filesize
4KB

Download
memory/1724-234-0x000002358B6A0000-0x000002358C6A0000-memory.dmp

Filesize
16.0MB

Download
memory/1724-273-0x000002358B6A0000-0x000002358C6A0000-memory.dmp

Filesize
16.0MB

Download
memory/1724-272-0x000002358B6A0000-0x000002358C6A0000-memory.dmp

Filesize
16.0MB

Download
memory/1724-271-0x000002358B6A0000-0x000002358C6A0000-memory.dmp

Filesize
16.0MB

Download
memory/1724-270-0x000002358B6A0000-0x000002358C6A0000-memory.dmp

Filesize
16.0MB

Download
memory/1724-264-0x000002358B6A0000-0x000002358C6A0000-memory.dmp

Filesize
16.0MB

Download
memory/1724-261-0x000002358B680000-0x000002358B681000-memory.dmp

Filesize
4KB

Download
memory/1724-260-0x000002358B6A0000-0x000002358C6A0000-memory.dmp

Filesize
16.0MB

Download
memory/1724-259-0x000002358B6A0000-0x000002358C6A0000-memory.dmp

Filesize
16.0MB

Download
memory/1724-257-0x000002358B6A0000-0x000002358C6A0000-memory.dmp

Filesize
16.0MB

Download
memory/1724-252-0x000002358B6A0000-0x000002358C6A0000-memory.dmp

Filesize
16.0MB

Download
memory/1724-247-0x000002358B680000-0x000002358B681000-memory.dmp

Filesize
4KB

Download
memory/2440-122-0x000002CEEC400000-0x000002CEEC401000-memory.dmp

Filesize
4KB

Download
memory/2440-106-0x000002CEEC400000-0x000002CEEC401000-memory.dmp

Filesize
4KB

Download
memory/2440-86-0x000002CEEDCD0000-0x000002CEEECD0000-memory.dmp

Filesize
16.0MB

Download
memory/2440-132-0x000002CEEC400000-0x000002CEEC401000-memory.dmp

Filesize
4KB

Download
memory/2440-131-0x000002CEEDCD0000-0x000002CEEECD0000-memory.dmp

Filesize
16.0MB

Download
memory/2440-130-0x000002CEEDCD0000-0x000002CEEECD0000-memory.dmp

Filesize
16.0MB

Download
memory/2440-156-0x000002CEEC400000-0x000002CEEC401000-memory.dmp

Filesize
4KB

Download
memory/2440-125-0x000002CEEDCD0000-0x000002CEEECD0000-memory.dmp

Filesize
16.0MB

Download
memory/2440-204-0x000002CEEDCD0000-0x000002CEEECD0000-memory.dmp

Filesize
16.0MB

Download
memory/2908-75-0x00000143A27E0000-0x00000143A27E1000-memory.dmp

Filesize
4KB

Download
memory/2908-66-0x00000143A4050000-0x00000143A5050000-memory.dmp

Filesize
16.0MB

Download
memory/3564-58-0x000001BBD28F0000-0x000001BBD28F1000-memory.dmp

Filesize
4KB

Download
memory/3564-50-0x000001BBD2910000-0x000001BBD3910000-memory.dmp

Filesize
16.0MB

Download
memory/3864-154-0x00000234E9980000-0x00000234EA980000-memory.dmp

Filesize
16.0MB

Download
memory/3864-152-0x00000234E9960000-0x00000234E9961000-memory.dmp

Filesize
4KB

Download
memory/3864-205-0x00000234E9980000-0x00000234EA980000-memory.dmp

Filesize
16.0MB

Download
memory/5040-224-0x000001CE04A60000-0x000001CE04A61000-memory.dmp

Filesize
4KB

Download
memory/5040-219-0x000001CE04A80000-0x000001CE05A80000-memory.dmp

Filesize
16.0MB

Download