hxxps://winworldpc[.]com/download/c2ad50c5-a145-777e-11c3-a7c29d255254

Analysis

max time kernel
284s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://winworldpc.com/download/c2ad50c5-a145-777e-11c3-a7c29d255254

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	7zFM.exe

Executes dropped EXE 8 IoCs

pid	Process
2488	7z2404-x64.exe
6108	7zFM.exe
5988	Setup.exe
1028	Setup.exe
4564	_INS5576._MP
5244	_ISDEL.EXE
5356	Flash.exe
5380	Flash.exe

Loads dropped DLL 10 IoCs

pid	Process
6108	7zFM.exe
3508	Process not Found
1028	Setup.exe
4564	_INS5576._MP
4564	_INS5576._MP
4564	_INS5576._MP
4564	_INS5576._MP
4564	_INS5576._MP
4564	_INS5576._MP
4564	_INS5576._MP

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2404-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2404-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2404-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\SWFlash.ocx	_INS5576._MP
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2404-x64.exe
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch00\search_multiple.gif	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch04\F2UFA350.gif	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch07\masks.jpg	_INS5576._MP
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2404-x64.exe
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\cont07.htm	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch01\home_text.gif	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch02\library1.gif	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Sample Pages\Form Sample\ReadMe.txt	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\movies\snip-shape_tween.swf	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Lessons\1 Introduction.fla	Flash.exe
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch01\contact_actions.gif	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\00intro9.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\01tutorial7.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\02basics2.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\02basics8.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\08symbols9.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\14shortcuts6.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\help_index.htm	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch02\contextualmenu.gif	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch09\onionskinoutlines.gif	_INS5576._MP
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2404-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2404-x64.exe
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\13publish1.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch04\F2UFA340.gif	_INS5576._MP
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2404-x64.exe
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\00intro1.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\06import9.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\07layers3.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch04\rotate_twice.gif	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Samples\Flash Guy.fla	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Lessons\3 Symbols.fla	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\00intro10.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\08symbols7.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch01\buttonbackground.gif	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch04\lasso.gif	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Lessons\1 Introduction.fla	_INS5576._MP
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2404-x64.exe
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\02basics18.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\11forms3.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch01\crownplace.gif	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\03drawing2.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\13publish49.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch03\F2UFA240.gif	_INS5576._MP
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2404-x64.exe
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\03drawing5.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\05type7.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\08symbols5.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\13publish48.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch03\F2UFA530.gif	_INS5576._MP
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2404-x64.exe
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\out.txt	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\10interactivity6.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\tri.gif	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch01\variables.gif	_INS5576._MP
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2404-x64.exe
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\14shortcuts8.html	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch01\send.gif	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch02\timeline.gif	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch05\textmodifiers.gif	_INS5576._MP
File opened for modification	C:\Program Files (x86)\Macromedia\Flash 4\Sample Pages\F4SelfDetect\myMovie.swf	_INS5576._MP
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2404-x64.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\_delis32.ini	Setup.exe
File created	C:\Windows\_INS33IS._MP	_ISDEL.EXE
File opened for modification	C:\Windows\IsUninst.exe	_INS5576._MP
File opened for modification	C:\Windows\_delis32.ini	_ISDEL.EXE
File opened for modification	C:\Windows\_iserr31.ini	Setup.exe
File created	C:\Windows\_isenv31.ini	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133592847234296196"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version\ = "1.0"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.spa	_INS5576._MP
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fla\ShellNew	Flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash.Movie\protocol\StdFileEditing\server\ = "C:\\PROGRA~2\\MACROM~1\\FLASH4~1\\Flash.exe"	Flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer\ = "ShockwaveFlash.ShockwaveFlash.1"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash.Movie\Shell\printto\command\ = "C:\\PROGRA~2\\MACROM~1\\FLASH4~1\\Flash.exe /dde"	Flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash.ColorTableFile\DefaultIcon	Flash.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash.Movie\DefaultIcon\ = "C:\\PROGRA~2\\MACROM~1\\FLASH4~1\\Flash.exe,1"	Flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{597CAA70-72AA-11CF-831E-524153480000}\DefaultIcon\ = "C:\\PROGRA~2\\MACROM~1\\FLASH4~1\\Flash.exe,1"	Flash.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GeneratorTemplate.GeneratorTemplate	Flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp.1\ = "FlashProp Class"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{597CAA70-72AA-11CF-831E-524153480000}\ProgID\ = "Flash.Movie"	Flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{597CAA70-72AA-11CF-831E-524153480000}\InprocHandler32\ = "ole32.dll"	Flash.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{597CAA70-72AA-11CF-831E-524153480000}\Insertable	Flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.clr\ = "Flash.ColorTableFile"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\Shell	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\Shell\Print\Command\ = "\"C:\\Program Files (x86)\\Macromedia\\Flash 4\\Players\\FlashPla.exe\" /p %1"	_INS5576._MP
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{597CAA70-72AA-11CF-831E-524153480000}\LocalServer32	Flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash.Doc\DefaultIcon	_INS5576._MP
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash.ColorTableFile	Flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{597CAA70-72AA-11CF-831E-524153480000}\ProgID	Flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{597CAA70-72AA-11CF-831E-524153480000}\DefaultIcon	Flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\Extension = ".swf"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\Shell\Open	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fla\ = "Flash.Movie"	Flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{597CAA70-72AA-11CF-831E-524153480000}\InprocHandler32	Flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1\ = "131473"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash.Movie\protocol\StdFileEditing\verb\0	Flash.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{597CAA70-72AA-11CF-831E-524153480000}\ProgID\ = "Flash.Movie"	Flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash.ColorTableFile\DefaultIcon\ = "C:\\PROGRA~2\\MACROM~1\\FLASH4~1\\Flash.exe,4"	Flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash.Movie\Shell\Print\Command\ = "\"C:\\Program Files (x86)\\Macromedia\\Flash 4\\Flash.exe\" /p %1"	_INS5576._MP
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash.Movie\protocol\StdFileEditing\server	Flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash.Movie\protocol\StdFileEditing\server\ = "C:\\PROGRA~2\\MACROM~1\\FLASH4~1\\Flash.exe"	Flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{597CAA70-72AA-11CF-831E-524153480000}\InprocHandler32\ = "ole32.dll"	Flash.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.clr	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Flash.Movie\DefaultIcon\ = "C:\\PROGRA~2\\MACROM~1\\FLASH4~1\\Flash.exe,1"	Flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{597CAA70-72AA-11CF-831E-524153480000}\LocalServer32	Flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash	Flash.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4412	explorer.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3540	chrome.exe
3540	chrome.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
5292	chrome.exe
5292	chrome.exe
5292	chrome.exe
5292	chrome.exe
6108	7zFM.exe
6108	7zFM.exe
3716	msedge.exe
3716	msedge.exe
5228	msedge.exe
5228	msedge.exe
4492	identity_helper.exe
4492	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1400	OpenWith.exe
6108	7zFM.exe
4412	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe
Token: SeShutdownPrivilege	3540	chrome.exe
Token: SeCreatePagefilePrivilege	3540	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
4940	AcroRd32.exe
6108	7zFM.exe
6108	7zFM.exe
6108	7zFM.exe
1028	Setup.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
468	OpenWith.exe
3828	OpenWith.exe
2488	7z2404-x64.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
4564	_INS5576._MP
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
5356	Flash.exe
5356	Flash.exe
5380	Flash.exe
5380	Flash.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3460	3540	chrome.exe	83
PID 3540 wrote to memory of 3460	3540	chrome.exe	83
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 1896	3540	chrome.exe	84
PID 3540 wrote to memory of 5092	3540	chrome.exe	85
PID 3540 wrote to memory of 5092	3540	chrome.exe	85
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86
PID 3540 wrote to memory of 756	3540	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://winworldpc.com/download/c2ad50c5-a145-777e-11c3-a7c29d255254
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff94f5ecc40,0x7ff94f5ecc4c,0x7ff94f5ecc58
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2600 /prefetch:8
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4628,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4816,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4760,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4936,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5804,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5848,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4804,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5536,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6136,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=6096,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4660,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6300,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5160,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5164,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:4808
- C:\Users\Admin\Downloads\7z2404-x64.exe
  "C:\Users\Admin\Downloads\7z2404-x64.exe"
  2⤵
  - Executes dropped EXE
  - Registers COM server for autorun
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5788,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5780,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6040,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1592 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5184,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6480,i,10059995221873690433,74252226721867102,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=6400 /prefetch:8
  2⤵
  PID:6036

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1400
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Macromedia Flash 4.7z"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4940
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:1788
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C095508B5F17B813D9D3549EBAA050CF --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:5048
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6B6877658F46E9CAFECF05B7CE0D8894 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6B6877658F46E9CAFECF05B7CE0D8894 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:2076
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=19DABDBAD4911AAC0663C099D4A7009E --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:880
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C2ADBA939F65DB001CF27DB53323A96E --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1108
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7B4FB6644A8D038534D5D8A7C8085D4F --mojo-platform-channel-handle=2364 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4364
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=37C5DB4FF567EA5D1023547641050B9C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=37C5DB4FF567EA5D1023547641050B9C --renderer-client-id=8 --mojo-platform-channel-handle=2500 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3896

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:6108
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOCD76DDB9\Macromedia Flash 4.txt
  2⤵
  PID:5804

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Executes dropped EXE
PID:5988
- C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\Setup.exe" /SMS
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of FindShellTrayWindow
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
    C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4564
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Macromedia Flash 4"
      4⤵
      PID:772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files (x86)\Macromedia\Flash 4\Readme.html
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of SendNotifyMessage
      PID:5228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff94c9946f8,0x7ff94c994708,0x7ff94c994718
        5⤵
        
        PID:5208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17814992848457444750,14999658747404195481,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
        5⤵
        
        PID:760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,17814992848457444750,14999658747404195481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,17814992848457444750,14999658747404195481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2304 /prefetch:8
        5⤵
        
        PID:2860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17814992848457444750,14999658747404195481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
        5⤵
        
        PID:3908
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17814992848457444750,14999658747404195481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:5512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,17814992848457444750,14999658747404195481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
        5⤵
        
        PID:5828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,17814992848457444750,14999658747404195481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17814992848457444750,14999658747404195481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
        5⤵
        
        PID:5816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17814992848457444750,14999658747404195481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
        5⤵
        
        PID:5972
- - C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\_ISDEL.EXE
    C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\_ISDEL.EXE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:5244

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4412
- C:\Program Files (x86)\Macromedia\Flash 4\Flash.exe
  "C:\Program Files (x86)\Macromedia\Flash 4\Flash.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5356
- C:\Program Files (x86)\Macromedia\Flash 4\Flash.exe
  "C:\Program Files (x86)\Macromedia\Flash 4\Flash.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Macromedia\Flash 4\Flash.exe

Filesize
3.9MB

MD5
21d2056d6df176d7f08db1a86c407311

SHA1
e254d5fbd9e77f0a98972c24dd5134a56e51db2c

SHA256
212b6792385461a0ca609c79ddb3e5c6c2fd4e1cf199e14a85a7bfa6e71fe6aa

SHA512
ac4784f98a7e06218711182ce7903280baf250d40bfa3cb38b999442aa4728fd9f2e1a6f5b2c9bd1f3d5e805d61d9e89e4e55bbbdfdee96f4a6570f58a6965e8

Download Submit
C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch05\textfieldmodifier.gif

Filesize
135B

MD5
cbd2c8b7e9548e7661172a248eb2831e

SHA1
d2dc6b8752191caab2636c4dc8af3f2668a384ca

SHA256
6fa451273e68aa1c75e66d3692dfa03d9671a03ba0fb7bde3c1abd8a7b1c463c

SHA512
cea50ab04fcab17b6d3da4ca4eb789e8da96ad361d87edd4a82315dc906c07fd36b1453150ef37e09da63573c6aa808847c53087ce1d9f631b770064e10609cd

Download Submit
C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch05\texticon.gif

Filesize
152B

MD5
bb80bf701c452c5910809f7190042023

SHA1
16d476f137bf6dfaab0df4974fe599e394e83663

SHA256
e2a418ba5888f1a8a39912f48c8403bf90926349f0eb9e7c8392c1f420068509

SHA512
18f2fc0b9e48bafda39ee115d60dcbc8a4e030169db446b35ad5f734bd4cf2e356cc048e9f6faf09124bebb1f27a3328a150a9595c6b21af65f36d276fcbb045

Download Submit
C:\Program Files (x86)\Macromedia\Flash 4\Help\html\images\ch10\actionfrm.gif

Filesize
1KB

MD5
b3fae339dcea84fbaa05e2b0275f4ee8

SHA1
35cae80cd815350d01fe300443674b5b123602c1

SHA256
bc255bcf7dfc3583e20be1eaabd779451d111036973dbf936960416dec6f899e

SHA512
54f1afd4d1530a1269ff817656f0143f343d703f0b34f465c20a4e528bccd0bc657de39db63fb9b702027ad1da169f42bdb734a8351f391cce158578446056d7

Download Submit
C:\Program Files (x86)\Macromedia\Flash 4\Players\FlashPla.exe

Filesize
280KB

MD5
a03f2953fc48b98f31a836d8104adc36

SHA1
bfbb05ccf53147b7f2bf87718285392b9135efa2

SHA256
35d3ea2ad893b62fad478a5dff9fbb963b1d0c4686fa4b0448d15f068daa6091

SHA512
ca7a8a861e575d6d45b229fde78b2447526db57661f6a9df77c16fdbcfb97c2034a2516bc7dace95e424598d418229414cdaa0dfcacf2ed3d7374c62e2922578

Download Submit
C:\Program Files (x86)\Macromedia\Flash 4\Players\NPSWF32.dll

Filesize
240KB

MD5
a8f7ed6d15d95e8cf683751c40b96725

SHA1
f3ee5556b6b9a90450466d29ae5fd5e29989e8ad

SHA256
f1207e71e5b25ae2a52a937ac6f033a4cd8e0fe5723b2766820af2d05914e0a3

SHA512
adfffb3e087fe2bb4c1851f5fd99fbc61740a5cfb052da3d900819874ac301d78732ed2801084be8a313bf8241ea8c815ce79b103b0707c776190d9ef4943be0

Download Submit
C:\Program Files (x86)\Macromedia\Flash 4\Readme.html

Filesize
11KB

MD5
8f082a7782c698b5bcca0628ee50bd01

SHA1
936ad0bfe4ee5ac91fce7e3fd0bfd9d422e4e7e7

SHA256
24e875e96bbc3a1ee36a9918c3070c3a492b2e3f5d2a606bd0c83257bf652897

SHA512
9563bcd01e2bf7ef68318f2cd841417679c09cecc86f9a0df696c426e7d006d512634d7118414fcf80e692a802a6d92b86b5796269d0957ce09a93bb0a9a1706

Download Submit
C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
fe487725998a00de2ecd41b1357ca0bc

SHA1
cffe7d83767b3334533f9525bea67e34dcb2b632

SHA256
e0625e017c02038cf25b60d03f3c46da44b4232bf9c664cf30bcf67af81229b1

SHA512
173191f2678a4e73457ce4a4008c432080e050004fe034f93cf05281be6be670c54e0c37f23b90d4f9f6cce4de82fbff71cec817bf301d4d84405ea238f1c730

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
29f6d49053de1408586f48681864ca5f

SHA1
1071e887849cb92776f4a6d4cb6d0dd1ec264b65

SHA256
84d2bcf774aba77e938d3f36bfe020e0d49cfb3074ad9de69b5af78054602b7e

SHA512
dcdb5252e660b0d186c8db508db3fdaab22d33bc20dcaca2b41d5d5e64d5780b25f2242389227ddefff96978f373f89942389673c737b3102778982b91ca6f32

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
960KB

MD5
246da2a8b76013599e3d11b9f6f03515

SHA1
6a10aa64297e68fb5bb5abb940338d5a51c0e81c

SHA256
996e8436a50a1818b574a7ecb078d4f3566d6666fc4defb2493ec7f0c08538a8

SHA512
df9d86b41bca8e90ae212267b3cdac24e5c506dec0d88832b3a7f407f7f9057f23bb5c341137727f593088eb33a811eaddc445ecf1bd61b89cb1777837b0f1f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c24847e7b86239615a0f5f4db39f25e8

SHA1
a0fbca1015797244753b3f7fc2dabc52731fa6f1

SHA256
96b895f9a238f5058c7b230cfe500247d640fffea18cc360d75358c821570cd3

SHA512
900297b043ea2e47422907e853566ce18889997923e6120286792ec0228305326d1753e83f443c60fb390e1dc39562d4e4851eb989be3e46d19de0edd0b156d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000032

Filesize
200KB

MD5
a484f2f3418f65b8214cbcd3e4a31057

SHA1
5c002c51b67db40f88b6895a5d5caa67608a65ce

SHA256
79cbe928773386d07f0127f256f383debed5ccea5ff230465bf46ec7c87319d6

SHA512
0be1bb8db08f6e6041a85cfee90cd36a5b595afbca34d52a125465454fc806b4bb7ae569eaf4c882922fb1b962b6060534e597791cd0ad23483be5981d9be85c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fa6e50e35c969e8404dfa9d59eb8ae33

SHA1
300ddc554cc7dd428ccd60d8e351908e4ed964ca

SHA256
ebcfe6df2aa657aeeba9c0c0d7ddf63ee90334d3d8d3f3e16a99b4a7c7cf80d0

SHA512
199af503b1e56d2811341567a1f91dcc3a9f89da8f96c3cacc33eed988b180a37284a414af6589b1c275ae88dcaf7fb61cd344443d7b8c0281299773de2d34b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
95f4e4b654b25e3a4c289867ab02f64d

SHA1
57a0d99d6c3c6b3b4317eb84887360cbe71426b7

SHA256
41100a182a3db83506c70f355f9279ff9b5d88a80cf901d8443270ab2b128c5c

SHA512
9e21c5a22f469c3e7cbd45b448a3e5249f4b522675d92b7f1ccdc5d0971691f1f9e2533042212d93482854e1778541a8cfad25f6a89c134529cd03be71db59fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
fa3499eb70323e8a3a21cbc1407512a3

SHA1
86d2fca4ac4f4be11a97f33a2a64634c7e1b0265

SHA256
0e5163c72bb5066f2fa946bc27d367b34a02a43dcd69b0c9ffd824d3fd6cc068

SHA512
3eea0c8e458a8849a2b6a4dda6eb1575469ab0173e416b4ada4d3149675595a25a3c2861f6551838d002dfd3d96352df92e1517a0ed7db5f27ea195ee63db72e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
b07562daf4d7540bcd5068e8ef28b0c1

SHA1
fdca98a769b7bc9e3a763d4eceee33aebc7cb0aa

SHA256
13039993c3de311f25bebffe3193f50943ea72cd021d4cb9e32676f140049cba

SHA512
5f1ade6f35445269b8f47fb270dc363b9ecf87fb91f81f96b6661a6b67d8ff7a4eb9d5557da72a92ceef60870c975523c2de2fa1a58cb393e2a442b853bf354b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
4b2418a56eaa06a7cdb80eb072bba601

SHA1
b2a6b54d1bfed93c4d0094c563186cbdec318437

SHA256
e183f28f67819fc53d62c660611738e40e29e77d169b71128ddd0745542db9e5

SHA512
4e571f714dd6191ef68be1986619fa41473417f7dcce75d09923d4fd4c3c69a181f0046fdc60e4a98e4e0b9893cb6df4af9b738babfb3ecec8750a0e729e2006

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
e97f2cc15567945efbbb8b2efb9f4d2a

SHA1
f17e211feccecc2cd6a7eb1fd07563005b7e7f74

SHA256
603c99c3a19701475b2fe88fe91eb22568b7d1da876fbf621d755c3db852b469

SHA512
6f0b46ea29008ae8cd5989679987822613a80c28ad41b211c171742754af6f0cd4808d5c02a265c15541347dd4c770522741d4ace790d31a6be6458d23e0efb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
62f50a8da227bd0ae9b6ea638aad16e3

SHA1
46947d75a9699fc5fb3958e9a4416c575b701eee

SHA256
3fb7b89922f0fd683b0554811e501d167891240881bcf2f8338e2658f538440f

SHA512
2a74bf0e034f2622ff42223d995ad6e910b23c08eebeb18013dbbf0d8876ffba2fce6d1c323f5d962ce80f84c6103ac7b49e049841a522d7b222ff3717f1cec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b9f9c6ef526e77f4b3563919fe0d1476

SHA1
9bf4de4688fc078841b616dd680f915db22d4c72

SHA256
5e4f983e81bbd9114521862f2e5e9f4a10207701548dc08e6a903b689f4a11c8

SHA512
4b572ff7aa4339cece52b1b6346f4c62c2e54d98f32788bea0957c1fa6986f85387cd78643f4a028c4441e56bfa54c5fa1d5725a449fdbce4d5ae2ccfea2b4cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fb2995941c3e56f730717409b3ed191b

SHA1
3d24032bc8ab78b10d1d35f9b46a487b5bd032fd

SHA256
a82868b9b37c1ae2d0f4988259a49f38830accd39483c37ad7d1625c895c9e26

SHA512
61aca3ddfe1902c86513ee9c2028eef001627e6101addb8fb8daabe2a5c231db077c96158e64f104b9db6c17f75e9f3077aa5ffc6477cc5108cb73ba2c799e87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
aaab0664808710e7cbf5964514519b73

SHA1
8c2fe5a98b77a1d4086403e4fe854df0814a6895

SHA256
ef618e6956965e207481aeab8805bffa395ac34c281b8c1ee1a5ffb99a4d0a05

SHA512
3ab809c199d50a8b3e911ec9ed9b7845c6ea7ebd577282f611ad54e1cbe73e745aeb5e26d5052ee44ba40acfce03bb57d4e5838624cc29cfd34c8764fe0b6011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0f01ebdecea9af9531a382664adf2bd7

SHA1
ae195b3d1cc5e0d17f4e66048be88049830df7e7

SHA256
15ea065d0c5fac2b0a0d554911b4488ef61c0f6e5c7cbcf1088026402856ded2

SHA512
7fb14086054e27e171b0f3463ab799bc4b2e01d2d67feb54f888d10739a2595503c68474c269e283ed3c6fd9c5bfea02ef75012375caa479b64a4a441c8cfc3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca76d0f67cec9be411746dc20e6620e4

SHA1
230706b635346d368282a3db61ffdcdf46cd7b16

SHA256
88986c79dadb4e7eb0df956c552858cbfac352cf2be579f3659f19d3aa9f85a1

SHA512
a4eb3945dbd5db814330c51653c1f07dd256e3f38cece90faa389cd84d96f1968146e51745c83704fa4d9ccc3898a6396f0e848b03f3917abe5d3267a8af1abd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b37e59365a1a5213cd63bea2e168e96f

SHA1
aed8b42261a71244727eb79188535d1f689cd019

SHA256
e678bfadba9f4c9408637462fe9df0deccc128a5842dcbe67305316035fa9c6a

SHA512
8a2914974092cd5930bd8fd778c31fb76eadcce49eacdd4efd1335e6e65c637f922ddcb1b5d0511f07aecd00ea2b834ba06492ae4933a2534cafdcf0a035a7c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
96892ffd5df7b3ce877c85236c330124

SHA1
18293027e2977d7b9b4288eb88dd4913f52f1ad8

SHA256
b160ac714f31ae21f5e8fe8dd61752ab61166361097bea56dee13e7a3cb7afd2

SHA512
b988411e5d8a55425581bca39f8597e2edff0f7b7c50f9dc65c5c1727715ccafddfeac4370a9aa56eacaacaa6b3ea3b8ef3828db542059f07cdc6d13ae1098c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
11f93e6b169503fcb197a7d3020b5ba1

SHA1
07f93041cc25b471afa391a32b7544a0522a1903

SHA256
a7b26c4e5d0a568b7fff68107fab7ac82178c60e82371dff53a657a812341833

SHA512
c9f0b10a85e75e21d18b77468a24f5238d9e345f1f749d7bbcd24f8875c1df5a06e707a7046596df140e3d3b139421ee26d92851cb5fe8b0f58b38749a7dfad9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a36d3de1b7924d24fb39b11e4458f02a

SHA1
8538eccca4693398b15b191b1c16509f2d217044

SHA256
9c1ea03b8f40778961aefe949704b68ef939efdd25d1826be7dc6e2ca8f38924

SHA512
aa22716310736b354301a8fa7b2ab0eab283acc6111a1a3c826bc224621c457cf3afe26f32c4dfce666fc86cb62f62fae9bdca90bb7d4492fb2457644f3a2810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ffde2688418af7694f4ef1f1656d1abe

SHA1
fcbac39bd41cb996dc430d21cdf46fa655ef2593

SHA256
6b7afb4ecdb85603255917e3274046d117ce8136d436796c89acd7e87f5c0200

SHA512
882c32c55db573c3068dc14e229e0a70bd83f3e12d2b69300db4871a013223f51b5d9e6577218fd13d2c1af5e069a7293e7fea57198c2ea863cd2a875f65d525

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
50f82b341cd2f051df2944ea7433d2aa

SHA1
ddc13a4f4e9dc4da0b32eaf76e0da205e1795cad

SHA256
770f19c4490bcae42cbed39f50c4e91f6b7790a941064c8f384dd9af892e0887

SHA512
609732c9f0ae7cfcdd30b48a2675a33281d8140a595cb8399d5feb315afad64fffe34e11caaba9c4bc9ec625814108368e60addb9750ab6be88dd4a8f5b717e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e874cb41b227304be2347dda02db2416

SHA1
df0c6539beb57e78a32b80072503d5a9a6be77e6

SHA256
80e2f50bf91a91ed0b15171d30946a2b14559542d91c36ce0b7564bcb3a52aca

SHA512
6680d9c984c08ea47ba16ce80308c2918327a7d0bbb7e3d44209bc009bab5b3b1d4fce80369de033b7a61315b970f88d6d9b05f0c324399b978d29ede98f2a94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ff831701514e367f29da5282f7363274

SHA1
8e153dcaba59f1cd237f6b67786a9c5e6f0bd65e

SHA256
35a0dcd61222091ebf730c32bbd1d5598f786a593c0cb6a59caff8ca490b4578

SHA512
3aad52e4ed501e77a5cad58da1c3779a9ac6cac43fafe0c711cd469872d50f6621f46fd2254967d786d50bb62e01eca2b47f0125dfa03ec72c8fd47849de9e76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
120109c1c38740f83c603f95f7275e4a

SHA1
5d05a529d05b35824d0f7c1e4ed158274d9774db

SHA256
ace232b20d9d85764c80bbac766063988835c9b29089836e5364a72aa0f3cbb0

SHA512
9328c505c6548dfd96c24bda50613059c3f54462bd00d4eaa820975c6ddc26b78d3f47f49c7c05e9ad2477dbaf6d7849e479a859bfa29e3ce9c84526865b291f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9868ff2d87bfa8d6af9cdad3f218e8a4

SHA1
20c29cb2fa69d814f5a810d75f1e8d330c5def9c

SHA256
56b9e2ec2df0079e1ca01367547e1f16d123fe0dc3951a7c9399d0e3cc281df1

SHA512
75157603e3f680e50042e7520b87f85867987306036df7a208b80a9641cd3d3a76a3edba7d68bb8475e3e3952f0e49999d3f9c847c16849af9bd7159e21650d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c471b26cb3b059af17364615b11a1e30

SHA1
1b1be0488fe01480086faa400324d2306c9eaf15

SHA256
1c225cb4b3da15aed3b8900fbd65f43a99c19d8db8c2f9178dc281295ff385e0

SHA512
1521bdcddb5fdb228607ac034c62caea772c4e1774b3080f4fc68a7a150c5ec25bf06da9cc16bac8d6c684c842b5de3b5403e6d47041e35a4741db8a7bfcfc9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0fac4af00cec385b34358d6b708ab46f

SHA1
8a246a34d730505ae5a8588f948c895ecf1fe326

SHA256
cbdcb615183c452d4035dfd1cec5521f0c8ee5bc40ee5ebed11857227f859107

SHA512
1964ad1ca5766a0e10f246e1c26a34f701d081ba8bffdaedebd5f8cf64a16b153a0efbe7a396e5bd92a977edd1d2ab55a07e89ff8b7b400966a0efd4d5a27926

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d3ea38d0c057ec10d810d084f4fa5fb5

SHA1
48ca7a5e52644a24992ecab8d0b8e210c057de2f

SHA256
797a708648f62ed81d912492a80b8f8f9d280d9f0d711a94b401c83798ce3c6e

SHA512
7be567b5f106b4eb1e96e1f44753338aa02d40b9856855cc1b882d4edb9d8ee57b95943176bc63df8beff291e72579fcb590e9751d899144e18e8bda2d3ac08e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
948369304d4515699acb0efed6562ec4

SHA1
524edd4b62a2c5c3eb9aee4690bf17577444f101

SHA256
19f349aa0e11e0d4a77c2479585ba61abe9196054d97f57d00a721ee8cdd85c6

SHA512
25b4d92ab3d00a2d4db44ebd94b75c2061d063ef3fe15de44e790405bf7ee1acb05d783d31d89091d5f235d5cad82e5a2ee7e71006f5160984dbcda188fe01df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
f58f9113b7d4a9eb9327a4f260cae932

SHA1
d68f89e6d6bdfb557e196c547665abe7c2e2ca3f

SHA256
586ea1ada2cfa11a2221a020bd58055f0270d3a746b9cc6334a0fa2bf51bcc6e

SHA512
1dc4be18fdd82aaa7db0d01aa4d622476e7f87cfe748eaec7280f99dac7e45ffbe1898f962ad664e179b205922877dddcf935ace043b1253f5265fc61a9b9956

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
cc187f2235625d0b19a5b793dd5addd7

SHA1
a6c097a248305c7f77117ad96b77c33c3b49e4fc

SHA256
1995820e51c4859ddc03e3f424cf13156ff9219637de333d08b39af5dfe20fd6

SHA512
5cd2defd2017d4d6c47eaf39958dd396c69a65a601537162af6606eccf2636d97c6b8689754ebb22e84d93395df8f2bc8531a802c46845f12a4c6e79a18a32db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
fef23ea4f2fa48e489c80155e15baef2

SHA1
8b07fa30b756efe70dc862ff5ed798e31b5aa2b0

SHA256
0108437eff164cdb525f3d6263ad7c8e4ee772381f77210229e599d8ffc909e1

SHA512
0b0d4d4c3ad699b6b21edac0509ee27818ee0c82974826cb77a1e6817b79b0686f47105461e9fa37e631edc5f630de6d3c0b4165485444a5c9fc678dbc74865e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
521dfd7f69f2a91e14cc9c8f94ad5c94

SHA1
fa49de9559f1f0079025bd9e5856e1a41584a459

SHA256
79ba62c8784df5b064474cb73794c0da4e454582c0a6cfccdb27c12c34393d05

SHA512
044e16f1ee11ba53a48142becf68afa3c061837a67881f0ae9af9de310ecdf47e78219495de42b656ddff905d3b872d208bbbefff753bc69a6aaf480ce135a33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
919c29d42fb6034fee2f5de14d573c63

SHA1
24a2e1042347b3853344157239bde3ed699047a8

SHA256
17cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141

SHA512
bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d91778bdf660647a498b5267f5d551b0

SHA1
f8f4d56a2d3ad6b36f8c15dd2d6ffdea8ed57b6b

SHA256
24527dbe726475399dba16c5544dbd4bd7fa541fbe25ca79b5fac9f26334ff92

SHA512
1cc26c2cf449bb6d680dc6f8f1850e78ca44ac0c7fcdac9c9aa5d11a8e0672b3e0b476d70d86439281feb9cdb8b74bdfc9f828896c083c1d4a6aac350b63ca31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e892ee42ff11e5558275a4128c09262

SHA1
a47718b3cb2ea484f7ad89fc7ba34f5c30df12ef

SHA256
0bb4c766676f581812a1e916f83913172664b71029e9bbf2c17cba356739fcfc

SHA512
70558234d84317fb92f6b7e216ed31d7ef073883e21d7cc05015a6586cbcfe0457de9f5f7b36bf3bc0566c01478666df1104ed3ca5af3a24729d592663291d25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c1ec73abfd60f7db2f59c4e11b0e1eb7

SHA1
eadb30f372133d7ebc61e2fc1621807e7d0588cd

SHA256
c5a5d47cfb991814b092c27306dd585099c726d6437bb20958b348c9a7885763

SHA512
28648ebba14fed2355e461a9716de5281b36816f39e8ca45d02edb256c8e0b54410c5937af5f54096f0b610fd71f74cbc689ff90fe974de4b3dab9e75dfa2291

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCD76DDB9\Macromedia Flash 4.txt

Filesize
690B

MD5
a18067c260f86f3d7a0b3c0214bf2978

SHA1
9f399929a10cf2d0c1980617f9a73155a3c6de40

SHA256
caf380ad8d25b2e7ae6c652541e77fb3c0d3e02ec1a83b96a5fa0e59242241b5

SHA512
4bc42a3543a6208d9163ca1137cf54c93b85f44c9d08c8d2c055aba51ab5ef6f675cc96201a24a65eea83e32b9172e07eacb0fc3a7b0db2ad87dd8b3130cc78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\ZDataI51.dll

Filesize
52KB

MD5
2a9a390018a50f1af0df0b7118696f6e

SHA1
f9a4cf357e49cf1f032ca4f8d46def52c6935e33

SHA256
1d9321dd5e1790dff91cbd475a023760f3b6b6b26e849b70b171b841070378f2

SHA512
813be48cf11a14b618fbfa358794b1e6cef727f305470f27c82bbfccc0921ef2141d740a71c47890db1e705f10bc3d0c67e3d9f651710fdd88f19b9e7e30bc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS0432.INI

Filesize
182B

MD5
ea34623a41885a3126180ad317ae1b62

SHA1
4f33829b71efc6cd479e1435dc4f13adaf8d97f1

SHA256
0ffe314571c013ad062637425cd2380eaca9bc52967739b902f621e03ec5a7f6

SHA512
63ab3cfdf6fe7e72b03fee38a2a113cd9a8f4fa03561268f509c76ee97ccad83be56e3d657e825b6d6546379f3155fcb2527917571c0e236826e7e8584f4fddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP

Filesize
544KB

MD5
d28cb295e2395b3593293470e7784512

SHA1
8a734689b76929beaeb6110c45c41948d4d4c12f

SHA256
a8657371f03e2e66db951c3dcd3aeb42c576894908ca2eb1b3806aa0404cb083

SHA512
c526b986e47a8cb2f9cb6fd0bf1f48d9fbbcbfaa6dcee0bce6670095df586b179eef0fa6fc7ee56995d3f100df5ed359eff6858d646b68268bd9d3c68dd816f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\Dlog.bmp

Filesize
31KB

MD5
c3908134a38bcf806ab91b6460dd8123

SHA1
51829be666be9d5429f13e03a84af43c38b5b62c

SHA256
daaa039c1bae7ccf0393b22606191d6721336e1d44463681977cc082c3ab9f24

SHA512
0cda8bd7f679ecf34daeaddcd2fcd78e622535676e5d47616c612f643241cb329076ffc9e5f30bd0e91f37c3ebf15b2c456265475d93400a821298956fa6366a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.Exe

Filesize
299KB

MD5
515e4684008e955de0c81e6a7aea1c2a

SHA1
ebe026f9c551f372ad82186ff6b9c2ca26dd684c

SHA256
6d631e94acce1f2808a6b1125a6617d1b0ba7e50d93c1d656aa2620bcd0bb965

SHA512
c889a733c61687aa9be0b67cc2e4ecf2a500386054dffa072780a4f46b29373e0dad79c35f375fdeb6572dbc11b24436b88cee3ba431a37965cf0e884ab636b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\e5a1c92.DLL

Filesize
126KB

MD5
18556ed6ea953c31f1c4953d2f210c78

SHA1
7ec5618bae6bbfb45a02c933de7bce8d0fdeb22c

SHA256
f8fa0c3350ed8675c95a9532a0ee057bd0d1c0e79d90bf5e91f75b3f7f25d969

SHA512
0523df4e8062f8dca1a3096f17eaf359c4cd84a00aaadf734e0431a07ded2fa7fe6549bb5a387d839cffe60a9705c3e4f376679006d3eea4e95dcac21766e79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_WUTL951.DLL

Filesize
45KB

MD5
9567a2dac1b8efbd7b0c6dce2a2251c3

SHA1
db72683ff3a3000771394d5eed7e2de922dcadbf

SHA256
67d309a88d68c449c2d0a76c0f2d2c9b2b764a469a6daea67df0279dd49c9296

SHA512
51806383e05cbc67754fc746c16ddf8364610bb22260b8638f586b02dbeb0813cee6acc9962b2b928205d445a82f2cc2022b6d1162f8da644ac902c0f3a327a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\LAYOUT.BIN

Filesize
609B

MD5
0ba51445dabe940024b128d331a76c43

SHA1
99a0f3a2d9df271674920d3cb13110cc3a3ad842

SHA256
de89725ce5231b2514ca3422a6b6a55db3d89124be5fd2e169e4a297031a7530

SHA512
ff9caa8333cf1ea132484350bab2846ca942c1017d78eef563114de9885ed2212e3ee3b7d73b113099f09d4d61dd8c187ddc8c3e7d88a543ee3a91f04182bf2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\SETUP.INS

Filesize
70KB

MD5
7177e0495485811bcaccbed70695080b

SHA1
a8675ac687050356c57ba5da0b642d8a80166af7

SHA256
888b89125b9d856ca6bd1482a503625c890bee504a3d07137fdebb9483e54bd9

SHA512
a338274e2c327bf68e34c814e6af0d395b31eeb14b212fe2251c126501d614878748befe1064f3dddedb2217cf6c4ead4345c7b84f4a37347e7c2277d6c1011c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\SETUP.LID

Filesize
49B

MD5
1b79748e93a541cc1590505b6c72828a

SHA1
1ddefee04dc9e9b2576dc34eebcfa3de4aa82af9

SHA256
708d29c649525882937031b3d73cc851b7b1bc30772eb4e0e2a71523908f2eb5

SHA512
e85c1f04d3841cd1e5aa5d7ba37bb3aff557d67b1aceb2d9435f07862593eb4e139162c71d9b017c82aade2e1c535c79d1a18d26dffb95282e10bc64bda04bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\Setup.exe

Filesize
72KB

MD5
71e6dd8a9de4a9baf89fca951768059a

SHA1
aac779471a2f9ae3d3e0e39047ef1744feda77b1

SHA256
5656e87da0641c9dcfcd0ee8949ce72b3fa6a7d0e8b1fd985a16f6bd6c34ce52

SHA512
d15bb31ce595767dd366ea2130121a7a2a311c4e639f8b464ceac880d00735c11d950fc16725a3da9459d22a122dd3c33bc0631be90556b4078df9509b0048de

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\_INST32I.EX_

Filesize
289KB

MD5
6229a86a1d291c311da49a7d69a49a1f

SHA1
586254e13d8ffdd956f1fb4e6ce858b91a390864

SHA256
b2ff4e8402a5160c491b1ac7eba0073fbbe2220dce107441461b250544eff35a

SHA512
d2e21662258593d17b8debbd74f92e2b37ee3f5f3fdb0cbe8a4c9a16a6dbee6911b92c4afff86f4fa2afa311343e43029dec9c0e08a728309f2ccbf1ded7e896

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\_ISDEL.EXE

Filesize
27KB

MD5
51161bf79f25ff278912005078ad93d5

SHA1
13cb580aa1d2823ca0f748b1fc262b7db1689f19

SHA256
b5dc0feb738a91ce3cfa982647fe2779787335c6c2c598d5b49818565d7c3e84

SHA512
c91eac5a01ec7bfb4d3c9df7f90a1c6c6211464ecfede54f7ce2f0c8a79561e4425a56eb41b48bcd89a80bd45228b2ce0c649ed92d24019a15916306d9131d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\_SETUP.DLL

Filesize
34KB

MD5
ecacc9ab09d7e8898799fe5c4ebbbdd2

SHA1
be255fe9b6c9d638a40a5c1e88f2d5f4e37654e6

SHA256
1ad637e80a25f6f885604589056814d16ccad55699be14920e2b99f2d74c1019

SHA512
16412756b147a9e6c1e8ce503f374abde87919a5ae1de576963ed748a2934eff9f95d5b33cacefebe1c6cdfe64d9b595986c60bdbce8aebf0a4bcc83b6f25779

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\_sys1.cab

Filesize
171KB

MD5
0a5a5475e110a23fac3deaa3d45af970

SHA1
23a7864c6a4e2bbd59b4f07f23fe03c2dd6f8098

SHA256
2f92ea610275b1a0988d793f0b34244849ba19eb719e5bc232d2c5ab919c1525

SHA512
5da37ca38de28c02ce9897bc4b43499f8e2709e8ed3b9501cca81d3b819303e30c27eef29ca8b3216fa832773a976a6a3e7a092230f637f7f90189fb71a14c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\_sys1.hdr

Filesize
3KB

MD5
b32283a102f455a44d6526c7a4ae67c5

SHA1
6ef0a74dedaf3060504bf53447f2183ad7258847

SHA256
37d2234f80d3ac67f654bca94ff4ff041c30a22a97e7022847080de59cd26fb8

SHA512
eba84b2f27b74eae9c904875028e559780639324e2b1bd3e4f96da5491f81515f1e8103f412b2c158f239b1a46bfec2927bdf4847e3c0dd989363d517776b656

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\_user1.cab

Filesize
17KB

MD5
c0116a4a72e0ccb1c1b475fb2b0a423e

SHA1
fd03f335362916815d349f31d6a28cd4a367db0d

SHA256
f57eb79df16f56162b599a5718cee91681b83067962edb75c155a1f4bfe41001

SHA512
6afce137b0d7241deecb4c9965a2a5a0d1c07f8a6d95c7b70a53eb173b30d624d1393b9baef0bce6b8cf1f0e60bf3bdbedc433c57e057b9fb5b3c880ae371127

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\_user1.hdr

Filesize
4KB

MD5
559014b15676bac6e1649dc7bee7f316

SHA1
0c23490bd716745beacf85c802c58e4e7066730f

SHA256
f65464a8387faa9e1a496c66db46a8236c997c0447f5c06b2015afd735b50cbb

SHA512
082a39a9b216d158d1cead1ca6aaae45eda3c4d33e8c0e93320b1a205110b77918302ed0a9395daae4461736f6f7ca4a78a354e31d8dda21e15963a6c56aafdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\data1.cab

Filesize
8.2MB

MD5
98b0dc09051c5b0d4ffc5c6be28b1ee6

SHA1
851374ffd7c90a66ec121fc70a0eb8cf9108cc23

SHA256
740cb6e7bbef9ef66f22dd1862d04014fb7eeabbc18b9b01ed3809222d4a38f7

SHA512
e2853a14725fa3d7c65510ec1c7b34f43383a8fc6379577d2c9b7015ddbf9455f5d27cb0f2ea5cc47e20bd9fb91aeba680df71ae6104be26c4f7d6fc3374fc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\data1.hdr

Filesize
51KB

MD5
eba4a36f6a760deee3dee8dc3d8a8f8e

SHA1
6fa9a91504f5a5fe63629230163d03178fbe4f5d

SHA256
97f826d283c6132baf40abf1665410b7dbfad1f6e82b70d2ca9756532a9c045e

SHA512
8605fced6bc200b0f4a5313a42a795da414f14314c57a4df41a82f7e6d1dc91dc0c8903bae776c2cfa20c1fc16677727e9a9607be25482f4b1247f0b524fddd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\os.dat

Filesize
450B

MD5
478f65a0b922b6ba0a6ce99e1d15c336

SHA1
577bb092378b8e4522eff40335ff7a50040170b7

SHA256
be2292517342de82d50cefbacb185e36558fcdfbf686692e7df08a80331f9bee

SHA512
747589cae4514cff7d5ea9b51b483c0fe6cb9242b0f31503268a73881acddf25541a7ae56f8826b4f15235dd2ab8c98c94674666e47c36ea913bcfb539143c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\pftw1.pkg

Filesize
8.8MB

MD5
5125162a12f1cfab536a97e0af6d5504

SHA1
c101a9de928c27258da6f6b81b91244fa45bf12c

SHA256
23d6147ca14b0ab9432590338bf9e8bcb28903bc4ca7a5ce671f6a2a6b5c662b

SHA512
112771fc04194333aa7c9159239c6f6411a0bf45465b69fd35d4c5fa844733377f421cb21d500a05e77ca7df8ee2d09763eaba186becc93fee46ac47e4b76bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\setup.bmp

Filesize
147KB

MD5
96084bd9e01e5f4184dd55306e2daee9

SHA1
96c732e1f3b99360fc47f08330a88670ff5e3b58

SHA256
fb1c8cd9ba402d30c70adaa9bcebd59b0c628b20c49de4159ab7fe4754783b31

SHA512
75501efde387dd7ef5ca56ed774b047fe6591b29de88e8088272ae676ac9451f7529df774f7a613d2cebb3c2a0c3a539cf07ed12d601c0b82c7435a8235c002e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftFC48~tmp\setup.ini

Filesize
78B

MD5
92d9d705846b2f819f89bb156c9db615

SHA1
a6e7a1aa0564d924209002dceb20d08283a7733b

SHA256
2fe4609f3052e6383ba2f51a215994e1b254944957bc35c6dc5bff49ac270380

SHA512
3d0a7ff904404806c4785353ab4aa6b5f48dc0af3bf051af6937f637dde9cf0740080c709d3d0d1fdb42e47c69ba984ed592e3ec320a0b86b67c3f64497a6ec8

Download Submit
C:\Users\Admin\Desktop\Setup.exe

Filesize
8.9MB

MD5
fa302bd51465095db2808ab1ca1b9fc2

SHA1
1ade82a7ddd1ed8eebde8f6dd65832069c12a801

SHA256
74b4f2efd76a09ee5023095b2cc487d3ad40895ac780c39f96391540595b3eea

SHA512
400fb2aec9d40149d711cf7abb791691f11e5e064319144750f90da3bb74f8eb8385a7cd07ecf3379a9a8f3d15aa751a0df04547a2fdb45e539ea1b0681502a6

Download Submit
C:\Users\Admin\Downloads\Macromedia Flash 4.7z.crdownload

Filesize
8.7MB

MD5
5b3bec7cefe30b8ac511e80ee761ebc5

SHA1
c29caff4eef1b0df6b8500a0546d927b921b6615

SHA256
523e5bf7e11010b9b8a699343329f5fa84d7597762a95d0496b7ecf198e27210

SHA512
b42a31583d548ddebec5989f516d5bdd37ddad802c1f9d2e52a5edd3c2a4e40beae30481d2f34113f4b66ea536e869442d00944dde1d66d9d9f7a6e76bb4ae92

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 302253.crdownload

Filesize
1.5MB

MD5
61ba723e67d41dd15e134b973f2d7262

SHA1
3282a5b7c20c7123ae6168f0c565d19930ffb6f6

SHA256
4931869d95ffa6f55788e3b5d92088f3fe590e13532b9d8e811a52e2b377bfb6

SHA512
b293d21403e8ac935a0ae8daf27a069b31b3b6c4d078d3966f2411e5df34094f9e0ea50c7fdb118ae7f2e7ca25a3b526f0bc172e769244bd92125858357ce0ff

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\SWFlash.ocx

Filesize
284KB

MD5
ecd183e10d164a9c84d22fe243752f97

SHA1
e65f2d9a4a16b28b91ab14e0eab3ea3386b99d77

SHA256
e03ac2ac8d8a9c5d1bc26aaeae769e0f990d9e6aaf71444fe5e057bf24559f1b

SHA512
91b8cc61d6769e72e1b60a82364ffaec4da173793c3f8064345c76363a91d61b547931a99aa5b0f246501f8f16f4c990a559166e5f2367fd0c1212fb48ddb549

Download Submit
C:\Windows\_delis32.ini

Filesize
268B

MD5
88c6ea9ed6cd04c7cae5d96a623d1973

SHA1
50e875bc6a3ce09b8e2e31a738747bcbb26d78b2

SHA256
290b98b00f660ca6317dc2b64ec399b15373a9b7a0574c45b7b4b5888a0b257d

SHA512
dce8c79b04d4319f9b43cd585877c382b0d5b1778ee1e85614e78a87366526167c658512c245ad1ebf96d465f4cb33f2c959fbc8189ccff53d888cd154e500b8

Download Submit
C:\Windows\_isenv31.ini

Filesize
1KB

MD5
ce4b2c3cf94db6a65cc6c023ff68fe56

SHA1
2632279a6786a3a7b185f60c44716ef1224385fb

SHA256
7cde51fdb7646d63b962cbf6b4c41a6125816d30fc06ee8eb98f42679d043eb6

SHA512
23c106acf5baa2126bb677e3dd1d038fc7ac6c5fbda751134a66ff9970fde9f854368129a73a1eb434e70a6658f60d0e90b497da6dfd712fef3ad0dce18db34b

Download Submit
C:\Windows\_iserr31.ini

Filesize
521B

MD5
b99921c1ce27e631044ad7ad03e27faa

SHA1
13fa80578e7a9f5ece1cfd7913eec6e3e5b12250

SHA256
bd6efc8e0f5b775ae357f3b647d74b7ddbc5fb8fc827e659d77ac2ef9888f16f

SHA512
79ff7699ad240f4b62c5b336fb6ebb684e675b2d74cf541997f1d42716c1e05bcc35d92443c0641a6f0e60a26d3add03f6316390aacb22701b718f652e5472ab

Download Submit
memory/4564-812-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/4564-2839-0x00000000031B0000-0x00000000031F8000-memory.dmp

Filesize
288KB

Download
memory/5244-991-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5244-814-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5244-2846-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download