a055e2982fe70c406a60855bc575c64a4847d4d8c97a76d6ad09726b76884646

Analysis

max time kernel
295s
max time network
173s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

90KB
MD5

9332428de39828f2ba06785e6539741f
SHA1

745b7b44983b21ff62da0ec693471db17d97679f
SHA256

a055e2982fe70c406a60855bc575c64a4847d4d8c97a76d6ad09726b76884646
SHA512

0990aece0c630a24f7973e87036a06e5412b69a51e76b1f5e7f22abddfaf0014feb16df79b8d588be238cb2f4f9a6c980891b3b54840cc574a9e3bda9fcc56d9
SSDEEP

1536:D7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfuwGjO6:f7DhdC6kzWypvaQ0FxyNTBfux

Score

8^/10

ransomware

Malware Config

Signatures

Downloads MZ/PE file

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "c:\\images\\infection.jpg"	reg.exe

Drops file in Windows directory 3 IoCs

Processes:

MSPUB.EXEmspaint.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	MSPUB.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = a0a95a31ebadda01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeMSPUB.EXEEXCEL.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5300000000000000d904000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt	MSPUB.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422724816"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	MSPUB.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	MSPUB.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5300000000000000d904000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	MSPUB.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6D9D0D91-19DE-11EF-A0CE-F6A29408B575} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	MSPUB.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Modifies registry class 64 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

4000 notepad.exe
Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

vlc.exevlc.exeEXCEL.EXEPOWERPNT.EXE

pid process

1636 vlc.exe
1004 vlc.exe
1764 EXCEL.EXE
3944 POWERPNT.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid process

2304 chrome.exe
2304 chrome.exe
2824 chrome.exe
2824 chrome.exe
2996 chrome.exe
2996 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

vlc.exevlc.exePOWERPNT.EXE

pid process

1636 vlc.exe
1004 vlc.exe
3944 POWERPNT.EXE

pid	process
4000	notepad.exe

pid	process
1636	vlc.exe
1004	vlc.exe
1764	EXCEL.EXE
3944	POWERPNT.EXE

pid	process
1636	vlc.exe
1004	vlc.exe
3944	POWERPNT.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

whoami.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeDebugPrivilege	2308	whoami.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exechrome.exevlc.exe

pid	process
2644	iexplore.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2644	iexplore.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exevlc.exe

pid	process
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe
1636	vlc.exe

Suspicious use of SetWindowsHookEx 54 IoCs

Processes:

iexplore.exeIEXPLORE.EXEvlc.exeMSPUB.EXEvlc.exeEXCEL.EXEiexplore.exeIEXPLORE.EXEmspaint.exeAcroRd32.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEWISPTIS.EXESnippingTool.exePOWERPNT.EXEWINWORD.EXE

pid	process
2644	iexplore.exe
2644	iexplore.exe
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
1636	vlc.exe
2992	MSPUB.EXE
2992	MSPUB.EXE
2992	MSPUB.EXE
2992	MSPUB.EXE
2992	MSPUB.EXE
1004	vlc.exe
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
3020	iexplore.exe
3020	iexplore.exe
2060	IEXPLORE.EXE
2060	IEXPLORE.EXE
2468	mspaint.exe
2468	mspaint.exe
2468	mspaint.exe
2468	mspaint.exe
1764	EXCEL.EXE
1764	EXCEL.EXE
1696	AcroRd32.exe
1696	AcroRd32.exe
1388	iexplore.exe
1388	iexplore.exe
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
1388	iexplore.exe
1388	iexplore.exe
1388	iexplore.exe
1388	iexplore.exe
1704	iexplore.exe
1704	iexplore.exe
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
2524	WISPTIS.EXE
2248	SnippingTool.exe
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
3944	POWERPNT.EXE
3192	WINWORD.EXE
3192	WINWORD.EXE
3192	WINWORD.EXE
3192	WINWORD.EXE
3192	WINWORD.EXE
3192	WINWORD.EXE
3192	WINWORD.EXE
3192	WINWORD.EXE
3192	WINWORD.EXE
3192	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

test.execmd.exechrome.exeiexplore.exe

description	pid	process	target process
PID 2256 wrote to memory of 3016	2256	test.exe	cmd.exe
PID 2256 wrote to memory of 3016	2256	test.exe	cmd.exe
PID 2256 wrote to memory of 3016	2256	test.exe	cmd.exe
PID 2256 wrote to memory of 3016	2256	test.exe	cmd.exe
PID 3016 wrote to memory of 2644	3016	cmd.exe	iexplore.exe
PID 3016 wrote to memory of 2644	3016	cmd.exe	iexplore.exe
PID 3016 wrote to memory of 2644	3016	cmd.exe	iexplore.exe
PID 3016 wrote to memory of 2304	3016	cmd.exe	chrome.exe
PID 3016 wrote to memory of 2304	3016	cmd.exe	chrome.exe
PID 3016 wrote to memory of 2304	3016	cmd.exe	chrome.exe
PID 3016 wrote to memory of 2308	3016	cmd.exe	whoami.exe
PID 3016 wrote to memory of 2308	3016	cmd.exe	whoami.exe
PID 3016 wrote to memory of 2308	3016	cmd.exe	whoami.exe
PID 3016 wrote to memory of 2804	3016	cmd.exe	find.exe
PID 3016 wrote to memory of 2804	3016	cmd.exe	find.exe
PID 3016 wrote to memory of 2804	3016	cmd.exe	find.exe
PID 2304 wrote to memory of 2532	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 2532	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 2532	2304	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2500	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 2500	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 2500	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 2500	2644	iexplore.exe	IEXPLORE.EXE
PID 3016 wrote to memory of 2556	3016	cmd.exe	reg.exe
PID 3016 wrote to memory of 2556	3016	cmd.exe	reg.exe
PID 3016 wrote to memory of 2556	3016	cmd.exe	reg.exe
PID 3016 wrote to memory of 2332	3016	cmd.exe	rundll32.exe
PID 3016 wrote to memory of 2332	3016	cmd.exe	rundll32.exe
PID 3016 wrote to memory of 2332	3016	cmd.exe	rundll32.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe
PID 2304 wrote to memory of 316	2304	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1BDA.tmp\1BDB.tmp\1BDC.bat C:\Users\Admin\AppData\Local\Temp\test.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://sdl.adaware.com/cdn/Adaware_Installer_UM.exe
3⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7109758,0x7fef7109768,0x7fef7109778
4⤵
PID:2532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=1272,i,2423677758745146658,16927773517085300253,131072 /prefetch:2
4⤵
PID:316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1272,i,2423677758745146658,16927773517085300253,131072 /prefetch:8
4⤵
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1272,i,2423677758745146658,16927773517085300253,131072 /prefetch:8
4⤵
PID:1812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1032 --field-trial-handle=1272,i,2423677758745146658,16927773517085300253,131072 /prefetch:1
4⤵
PID:1192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2232 --field-trial-handle=1272,i,2423677758745146658,16927773517085300253,131072 /prefetch:1
4⤵
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1360 --field-trial-handle=1272,i,2423677758745146658,16927773517085300253,131072 /prefetch:2
4⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1308 --field-trial-handle=1272,i,2423677758745146658,16927773517085300253,131072 /prefetch:1
4⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2868 --field-trial-handle=1272,i,2423677758745146658,16927773517085300253,131072 /prefetch:8
4⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3596 --field-trial-handle=1272,i,2423677758745146658,16927773517085300253,131072 /prefetch:8
4⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3724 --field-trial-handle=1272,i,2423677758745146658,16927773517085300253,131072 /prefetch:8
4⤵
PID:1764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3956 --field-trial-handle=1272,i,2423677758745146658,16927773517085300253,131072 /prefetch:1
4⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 --field-trial-handle=1272,i,2423677758745146658,16927773517085300253,131072 /prefetch:8
4⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4100 --field-trial-handle=1272,i,2423677758745146658,16927773517085300253,131072 /prefetch:8
4⤵
PID:1780

C:\Windows\system32\whoami.exe
whoami /groups
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\system32\find.exe
find "S-1-16-12288"
3⤵
PID:2804

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /f /t REG_SZ /d "c:\images\infection.jpg"
3⤵
- Sets desktop wallpaper using registry
PID:2556

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True
3⤵
PID:2332

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2932

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1600

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\MoveTrace.TTS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\FindDisable.snd"
1⤵
PID:2624

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\RegisterSkip.3g2"
1⤵
PID:1752

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CloseStop.3gp"
1⤵
PID:1904

C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE" C:\Users\Admin\Downloads\RestartMeasure.pub
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1644

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\MoveTrace.TTS"
1⤵
PID:2824

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Downloads\DismountRegister.ttf
1⤵
PID:1772

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EnterGrant.MOD"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1004

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ConvertToSwitch.ram"
1⤵
PID:1304

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RemoveHide.mov"
1⤵
PID:2456

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde /n
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1764

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:1968

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
2⤵
PID:2064

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3020

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3020 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ConfirmMeasure.DVR-MS"
1⤵
PID:788

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ConvertToSwitch.ram"
1⤵
PID:448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7109758,0x7fef7109768,0x7fef7109778
2⤵
PID:1156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1204,i,11299605227508419552,425271799646457902,131072 /prefetch:2
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1204,i,11299605227508419552,425271799646457902,131072 /prefetch:8
2⤵
PID:1300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1204,i,11299605227508419552,425271799646457902,131072 /prefetch:8
2⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1636 --field-trial-handle=1204,i,11299605227508419552,425271799646457902,131072 /prefetch:1
2⤵
PID:2100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2172 --field-trial-handle=1204,i,11299605227508419552,425271799646457902,131072 /prefetch:1
2⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1164 --field-trial-handle=1204,i,11299605227508419552,425271799646457902,131072 /prefetch:2
2⤵
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1388 --field-trial-handle=1204,i,11299605227508419552,425271799646457902,131072 /prefetch:1
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3480 --field-trial-handle=1204,i,11299605227508419552,425271799646457902,131072 /prefetch:8
2⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3468 --field-trial-handle=1204,i,11299605227508419552,425271799646457902,131072 /prefetch:8
2⤵
PID:2992

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1388

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1056

C:\Windows\system32\SnippingTool.exe
"C:\Windows\system32\SnippingTool.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Windows\SYSTEM32\WISPTIS.EXE
"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;
2⤵
- Suspicious use of SetWindowsHookEx
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7109758,0x7fef7109768,0x7fef7109778
2⤵
PID:1100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1300,i,1634276216947462042,12000472634191065204,131072 /prefetch:2
2⤵
PID:2940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1300,i,1634276216947462042,12000472634191065204,131072 /prefetch:8
2⤵
PID:1240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1300,i,1634276216947462042,12000472634191065204,131072 /prefetch:8
2⤵
PID:952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1300,i,1634276216947462042,12000472634191065204,131072 /prefetch:1
2⤵
PID:880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2060 --field-trial-handle=1300,i,1634276216947462042,12000472634191065204,131072 /prefetch:1
2⤵
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1396 --field-trial-handle=1300,i,1634276216947462042,12000472634191065204,131072 /prefetch:2
2⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1412 --field-trial-handle=1300,i,1634276216947462042,12000472634191065204,131072 /prefetch:1
2⤵
PID:2856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3412 --field-trial-handle=1300,i,1634276216947462042,12000472634191065204,131072 /prefetch:8
2⤵
PID:2188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1300,i,1634276216947462042,12000472634191065204,131072 /prefetch:8
2⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3708 --field-trial-handle=1300,i,1634276216947462042,12000472634191065204,131072 /prefetch:8
2⤵
PID:3648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=1300,i,1634276216947462042,12000472634191065204,131072 /prefetch:8
2⤵
PID:3668

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2456

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Videos\Sample Videos\Wildlife.wmv"
1⤵
PID:3460

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Music\HideUse.au3
1⤵
- Modifies registry class
PID:3960

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Music\RestoreWait.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:4000

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\Documents\AssertMerge.ppsx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3944

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\ApproveRestart.vstx
1⤵
- Modifies registry class
PID:788

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\RegisterSend.M2T"
1⤵
PID:4080

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CloseStop.3gp"
1⤵
PID:2636

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\RegisterSkip.3g2"
1⤵
PID:2180

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "C:\Users\Admin\Downloads\ConfirmWrite.dot"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
e74b97c797f758ae88bbc91aec355d04

SHA1
396dface23667b3298fe76e7c53888e95b8f9b0d

SHA256
7714399ab45b0d47d4c427af0295e864d6939e8981e347906a3834fd020242f3

SHA512
ac1905543581649e21e30e607fd10a202cb377bc7d902fe8bb5a5e59bed6dbd72476cda44fa7634c99ea1af30bd8fbba2d23dafa775e79ce07fbfc446fdd76f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a1f5e2e6a364779d14a37620d24a387b

SHA1
d5e57ace615d3bcb0fa8503a1c0ed09f716ddbea

SHA256
9664bc0edf68dd4a3890d97a762eed6218e2464387fc8230ab91b89faec8e8f4

SHA512
c47c62f5f4bcedb49b8153b2cf5999c2265a52e78757b15fd803fed1ade1b4d0c27ced04535009005f46a75f28c864ec475d21a39cef2143db70d08405d1d642

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
405a215f3a5d974d213123231d3d566f

SHA1
0c194ad6dab9881b252047107d335f736b184039

SHA256
6719c7b27ee0d4e782dceb47feea8a670f06f9c78573823c91fd49bce6718655

SHA512
b58fa76ed9dbefb57db67016d9fb8d9f6bdd9c4f4f2001256a26509dbb8f65dd94888398b247cac3f192f98176ac421a7fd43353a0203ff94ac200b1e194689b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0d07393ebaffb6128bea6f80d7ca2d04

SHA1
7a4c4eb35bbf095ec54e0125ee74369175160396

SHA256
7aa4c347e4ef8c108218cea63a49034df05c7ecf50cdb8325cd235b242208340

SHA512
c7a121603307b9bca3043e4a9103f92aed9b5d1762ab41d2ba94217712fc3734250e5473a896d038e4396b9d93abeb47e90ef9e06450b3211368efbabb9deb4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
39fc6603cf3cbebb2a59ac4ed5c01c2a

SHA1
ccf3963c634542456489fc9b93121d3746549231

SHA256
6e912cb760d4326cdf4590554604f2678430fd98dc27b44b0a0f1beadc68b3b0

SHA512
f8ae28b147b33f76edd008659c1d0074884129c4f1bfbec8defe6c7ee2092260b2760bc18f746c8b3371b9d9b07b7332df419ed1638785993c400c9ccaff6505

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
de039b642ac69d6dd35f4a431a9dda56

SHA1
ec8528f717944cada78646f91a606824219eb6cf

SHA256
bd24cae9cc15d272293dbd411102c944540239256f254cbdab890eed6d52d4d4

SHA512
b21ba11459902d7272cdd4c6cef0f7c8d5080a047b3d362bc3c5ad28ec30d139407878832da3647a22fd943a08a0f5279c91407ea6211844c7af6cbaf1f8542c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ef153e8300a4b8660c3bab792149452d

SHA1
f2a57a34564573f6b8bf88ee787b75c076c06a40

SHA256
48b502f66f3c963107cf361d9617512a94f43c8954220d0bb26fffdbda5fb084

SHA512
e3b414eea329a30f3382c21ed1933f96a775a7b864389fb568d38b8856c01db64f5ec5cde9abd679450093c8172bdb7ae4327f150fd59d13de815028a237dff1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
733b3bff6a8ca57756ef1de8adba31e7

SHA1
698c871dd03a6f730a88a744f452b5adea1de0bd

SHA256
ade16db2f7710361e77dfca8c21b0b493b13688dfd0c4987bec313b7b3744a6f

SHA512
05b1b0a6954a53c483a41c4320789b02fd21204f13074b2f46354bb2adecaa6290c095f8de43aca5ed4eaab32cfb09a05afc353c6acf68495e062bd3d96aa5d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ee22d233199f390e8ee8c556e1befa6c

SHA1
cc53f1fdd302ba811d58b65b3d400da91d97d8b1

SHA256
0fc3ae2a04b04086abb4a5ab1c9b4897116ccd9b820f837b3096e2843dc74e4b

SHA512
59e0b93cce97320b57754cec8909d545cd07bf9b439e3df9d79f4783f3f0bbc32cb8d861543d3fc040a397dd5224c0038e04774b326a43bfcaf0250fc0ccb310

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0b2a2d4a9f038e5bfc148c5a1ebc8849

SHA1
5113dc78923983a14c5ed353bfb9b882b542cf13

SHA256
9d119035304ef665f048959e2f9c6e5246414e4372bddd7176ce420f1787e763

SHA512
72be3912b27224338118af5fdd9d44a2c07de2c5aa3ee9276a17af8d529851b5457b38db1397ebd0e46c29c8acce4d0a8e84ac8aa051d93030ff059119e315b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9d3ac878544124f76a7b82f17e161aa9

SHA1
700ff30b173f40ec3d7c476d5b465d2c339a88c9

SHA256
c4c3921431064bd419d0357107b3234b54bfff1f338e628ec1f5e10daccdbfcc

SHA512
d6b67cd58a27bcf378a0ce9830f2a47a994e58390ceabf811c8216662893cee664a059ea0652b8c0f5ad0e7e197cde1f0eff7d80f4611aed1be59f3fba569327

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
41c8ef383bc24b908640c3bc5fca913f

SHA1
3d69d1d35a48648683eec6c4a95e478adcbeb9b6

SHA256
27edc5bf579dd5ccda9bb16b4207afc13d812b52752f7dfd7431b56ceb3f33d5

SHA512
2ae52b0e5fe4eec2d6ea3ed1ee6c51922e3dcfdad68b52a1a1766572c8697a4d7392855b1a252823e04d122b3fc249c1d22947abf587bad98191bf588a981201

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
aa0922c8e8199a0c86941ef539a57a24

SHA1
7bef82163eaa8cb3165434d60cd186aa2dc5ddda

SHA256
7fbc008cb3c133b6a8fed5c6432579a5098ecc7bb75aac09f5087c9582b43054

SHA512
d97c731a6a15a3d85fc98abdde16323f394c728a7e10a5094930c204e3ab22ee684b930a1c114230568f6487f3dd961631cb0972657bfe4abd6e605085e25043

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7485d43e97d6a8b9740b2733197f7a09

SHA1
80e39a78401504297b4810005e87657bf1dcb3f3

SHA256
29a2c79103c848e0f7e8f90ef323fc24e9cebc50bd99e017bf5536349e526bd8

SHA512
5e199a23c126634be670701b649d4152c4c1b1b63615fd3dca16ae5b9f68603704008241f484242ec7d1b9319b84f9a800dd490e876fe1c108843091a17ad3ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9615f9846878edc849f472530c254642

SHA1
df5bdea7b2d7139d658b5c1971ebff265091014d

SHA256
aceef5e637c45a02111bc774242b2ededff5c1c52d9811e34c435c092c323629

SHA512
dfac802180356edc03b5ad204f3fced2422696b890340ae8724c51be83689c371a6099b80f2238a6c1bb564d72466b8c97c8e6e51d9d88fba7e84de473d358f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e4a75b64bc3a0643e383827e3ef2477a

SHA1
7f702fe348bb4f13b05edef019ad97f631c00cee

SHA256
c553969f69d63f5b30447644ca64d0f5b85341290c9c85532324719b87a81fa5

SHA512
917f45378e836bba31a8be3259045d4f050811a1e966da00f36dcffc97382ca808140cb537374813a9b25f17c016876bc9d233c39ca2e581bbd4f668514bdf9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
26b8ad62ab984437dd97b80c75c9b432

SHA1
0926f4e1bd6cfe5f8911c861d0b17ef3cee531f0

SHA256
c2c8f206df222dcc7bdb7c015280e6ba9d2ce82172562173fd42b80a93938a50

SHA512
d91e7f8979a788181254e480b6b313d213666561dfe7a2e2fe603401f95af5287351574433dd3c2fe8f506170eab83cf4e969439bb60bee2f020fe7f756ac0c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cce3068c5898838625895858ab3aa9cc

SHA1
ed3e930cea196b88320caf020988e94873d9a4f4

SHA256
47f7870a6d7d22be33200cbae156014e1754af497ab3fba58e2f7ca917b2aff8

SHA512
7117010e3c6c9635fc48ae1fb01ba50807381dcccccdf98366e4289870a64e8f1342e84e0de319fa87d12fef440389d0fd37272ef698f5b49c3252288f9edc22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f16617652feef4748810c39d10ed426c

SHA1
13fe8a48eea77730efba1be094745b2e1d90fb1e

SHA256
53d691961b28a69ca3eb6ff2479e0becd79ed533e2166cfb8cd1bd61e49ce507

SHA512
c72e45d27614c95a770a1de7f1f00add665cec3901567750abd11659312f08c98c0e1cb40e77f916558dad0b8a8038596252c5ad71ec401acb81f6bf07a43aed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f38c81a2eb60a1d20b89b8ba7387d25a

SHA1
c434332e599c55bbd2c4ed871626b9958458a9b4

SHA256
c451249ac20c97b0fb85ea745dc12e4d91b1e085f60e3a24da9e62055e7ff5be

SHA512
e1f47ae2b330dbe98760eedff34b2f9b8fed97f1c863ccb4ca9e23a3db084dd3926e0392bed6dd773c4e3bfa55d3aa98fa03a8c0e78593e1f698841f31918d4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
73becdb532a34b37d181980e79dcee09

SHA1
4ac33e25511dd31f69631d402f5916be2e45f427

SHA256
9520d5e5064ec3da8e96b8b7b278bbc325fc51b0adca2627b94b947863d2b171

SHA512
59ed9640c5d4b2f54e4d414554b2043cbc8b208b0070f65177f6585a4c934fcceb46a127d0e0021f7f3d45fb8fd3ef30fab981887178d31b9b97cc02e89b047a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fdff6c825f90afb9b85cd775345ca613

SHA1
0785ad6297c00ba95a8f5b41590af2f9a97c3727

SHA256
0951fcc3b48345fcc8b8e0197e34cefdd3eac28bfde0e8a8227f562183815c2d

SHA512
30a284ccac31db430fcdd5624fcb26480e784d10a3f03af3d9dd6af8d8799b48afb499af8258936148ecf23bc902df6fe3fc511432adb5e08466ce4edd5d8141

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6786581874249755019fd856590b5f83

SHA1
c32c56a5311aa5f09f6c477f4a86e495dc7b4f14

SHA256
74833e768689648b7aa6990dc2ab3b155f9b999d8ddef5da27afefd129c995eb

SHA512
1505a643d2cf6a69527c906c091892c013b7c44960140b6247ced00b2f39eda12e547744b3cfb870fc7ef46570aa5f46d15babc60526967f24c141528961314b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
666229e0a40a88ac623c91c71c63d20f

SHA1
252416bfb36e08232c704d9b2886e8c9d2ea4a46

SHA256
d898b06194604bf1481bc612574160eb7cba2c0e49639d1dbef98981ec903d0f

SHA512
a362163e65b5859098342c4295d96da36150671904c8904921b642029379e837837b086693bd098ed16ebd88d9f2845d359b9b48ca5cba94599a2008b581db22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3f86c2f4-4a41-4196-84e6-03e69174234e.tmp
Filesize
282KB

MD5
9dd66de85a1f304d78873f2fb0864804

SHA1
f159a1c722758cc1c1b5f2f63cdf662822bcd9d0

SHA256
4d5ef43eff363c817c1e3c7f8dd926328544a7fb9ed8c875d6763d71b808a1bd

SHA512
21b255d68916e96d600540236fa9619b563bf2a927eae0eb3990079943e79c3634a614bc2e3b71b72abf2b8af73d9efd242377a2db50f1f16dd157777f62c8dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5dbd007f-2cdc-4913-9f49-f0a814078da1.tmp
Filesize
147KB

MD5
5947f2cfacf25d9302ce783b0d9363e6

SHA1
bb7e98996c3b4e39d83d4f6e7d7c1fe6b11a83a2

SHA256
7b1cf0f280ad4f4b8fcdc2c4b237d163ab229e3c3d94ee95ad07eb606083b532

SHA512
8fbe694fc38725701417fb58eb6dab22aefcd25953d8da88ffec93442948506a48c6584b3f37b4e3c2101e64e41152ee9568073ed50c45bd24dc07bb9c47eb9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\92f1ecf2-4dd6-4f61-96ab-08b2eb918e8e.tmp
Filesize
147KB

MD5
b2dba6c68aeeeb464234d89b997ff660

SHA1
43c4e84b4eb23c60b0d2e7972eb7b0fb4f75a21b

SHA256
6ebd4719111b7f7386b93b5ac464ac0d0a267a68bb58af74f25831d45ffedfe8

SHA512
0058a29956d532f37078d3b6ee9d38c3704a42525ccd41327a29e1433a6fda3e991111876f1d172dd4f9b1979407bd3de1950f700e750e16396bcc927350a4e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
9459aa09d99c77cd8234ab590a23f290

SHA1
a22d8eb9e980a15c7fca074d80ecafcbc9d5098f

SHA256
1ec747b8e12f84b4ce533c07f63fd573d066e366e44e3b81e2bc4a5a4c53e77f

SHA512
0415800bcf68d4c096a65aaed32477dd136f3e6a920fc2f96e6d2f849976d5ab0fe03619ac51e25201742ac75e4f72271d26de8ddd80d3e7904ffaf221a2b4cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
Filesize
44KB

MD5
9be75e5160c11eb926e641f7bf6b0c78

SHA1
a95bf06174d18584151a4eb3cc9850822f9b4116

SHA256
8b2d344faaec40bf07125b8092cc907a4df577712ec8734e0555cf87e33bb091

SHA512
6ef3aece0a67994332e0f41ceb1ba8e659d4e516ef76064e70620c2b77e9cfebaf20362fe6ab91bc2206b5ff81ecc331b32a105580fbd7607d6d23fb77ee68f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
Filesize
44KB

MD5
77dbca4f2249f5ef36452940b1f3dca0

SHA1
002c75d4e5cbf7be5166463034ef88fd7228332a

SHA256
0626d2b4246781fb2488c8aef08bc2f4a9ced2421d901ca26b22f88f2c9a7a31

SHA512
8e2f443f53991436c6be12f5912aa3379a992286af38f85074710c8976ee35c847106011bd9e9ead837634d0a4d03924a4cdebf2fb7b8207be2968dd6b9c1443

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
Filesize
264KB

MD5
7dff8ff53f04ee265d79edf2d8e93317

SHA1
900066734a4624a1c1ae33ae873b16e354c36d42

SHA256
1de79119409253ae79586d28828e1c397cc06cfd61d10d61bd959de34bc288a3

SHA512
cac46ebbef8eb31e084caad2f4587ae2dcb57c07b340d6f2c6035e954eb3e995f87bc892398e20d3a5973a21482467a6accc3e5a03b478e2485a280230177ce5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
438395e8a393ad536eef8570f1958365

SHA1
a0eacb5623ea53dfb3f06aaa23ec4d2f818fbea7

SHA256
f370f5281a04886f901dc83c50e9ebef2b2133fa961b4978aa6e4e150382bb68

SHA512
45c838e0970bb55250427bb4d0a37c70b6e028ffc7023b2913be855c94e05c32bd6c1c8de1d634693e2000c951904e09b6b12b38e349cd13946ca71021785b17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
835e046244cfc0b65b65746965aaf114

SHA1
51faab645f787602b83d89c3ea58903c3cf5f45e

SHA256
34d750e3ba499b6645e8d1099a57051b0872f9e173a75a61f33f6f44dae89eb7

SHA512
c188934b35f6c73e33a6136620fd1d168ffdc54d8ff0e276ed022bc18bd489af464b644a04f0fd471d2c9ed32d81df6597b687a8523f22c0b021eaa95cd7df57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp
Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000011.dbtmp
Filesize
16B

MD5
6de46ed1e4e3a2ca9cf0c6d2c5bb98ca

SHA1
e45e85d3d91d58698f749c321a822bcccd2e5df7

SHA256
a197cc479c3bc03ef7b8d2b228f02a9bfc8c7cc6343719c5e26bebc0ca4ecf06

SHA512
710620a671c13935820ed0f3f78269f6975c05cf5f00542ebc855498ae9f12278da85feef14774206753771a4c876ae11946f341bb6c4d72ebcd99d7cff20dcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
Filesize
136B

MD5
2fea5d896e82bc2b783e24dfa388b830

SHA1
6126eabcb80864603ff751636e25e626c93bfbda

SHA256
6b6070faf4179676ebe71087c7ec0bcc349e81763059dbd7bc7175e22a11d9e4

SHA512
b6c79e38fc426b6c41389c8495fc735620478b29efda2dfafe4cdbdf47752863d6afe1b2a7ef0956ba54ce47a9a22fe16a37225706df7b4d8b1225c2032acf68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000007
Filesize
50B

MD5
1be22f40a06c4e7348f4e7eaf40634a9

SHA1
8205ec74cd32ef63b1cc274181a74b95eedf86df

SHA256
45a28788cde0d2a0232d19c391eae45777fe640790ac0674d6daa5672c444691

SHA512
b8f6f42d375e3ad8015d744fa2814994fa6e588b41cce0131fca48194dd40146b08169a8ce0da350525ff32a59a16edb503c72e0f07254955c82a0d38074856e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000008.dbtmp
Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Filesize
136B

MD5
6a6790bc10ac96c2c43a128456338ce9

SHA1
1ac74a4e05cce88ef4398fe136a1c13ec84bb9ee

SHA256
08f56fd1c76c8275ccaed33a94042f7b42be94a0a3f36148ccfd04524f0e5249

SHA512
66cc3861ead23cde7e2ef807f2ad22235101a462cd2c0e2d5a1834b1db7a53b3c1006b1f3718691e1a05b829685affd89ff71b07fbb877904d740ad09be2d85e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000006
Filesize
50B

MD5
78c55e45e9d1dc2e44283cf45c66728a

SHA1
88e234d9f7a513c4806845ce5c07e0016cf13352

SHA256
7b69a2bee12703825dc20e7d07292125180b86685d2d1b9fd097df76fc6791ec

SHA512
f2ad4594024871286b98a94223b8e7155c7934ef4ebb55f25a4a485a059f75b572d21bc96e9b48ed394be8a41fe0208f7bfb6e28a79d75640c5b684f0c848fe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
8c68551679335ab3b93e33289076c0f8

SHA1
05a19546838855af518b1f69170dd975593cad7a

SHA256
1804a9418ee0dfab90e63daf1b66a48cd141fbfb9948eb62b030a35c8f816406

SHA512
e95ccba094f8edbed86fb02d9c73c8eabea4f2206e159064283e9c47bec0b4f6f8a55f6e6905bea505afec0375d94ef1bb6f3b0a26192a7da5aed77ec1f206f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
363B

MD5
cdbfb59d590d6df5dd2e11a00420e245

SHA1
4c890454cc237715cdf9fb8497602b09502ac3c4

SHA256
6cf0bc0b3387895f6a25252dd1dbb9f1bb9b48798b330220e84c648775a8b30b

SHA512
b7b68a4e744e2bb9f8c4044e37591e7aab781c3d53cc4201a7c3188aecd538b7ae153efb97653ca824843563167fda4348673b7286e9b1b14c1d3ed5d0b01125

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
5be9fbd9a00058afd7c982be6d287b48

SHA1
079a61d8d191675bcaef29b20c6ad2ecf724f1c4

SHA256
68ec8ccca6011e4250566a7cb729eaa8e0cab626fa601bbf11c994ce9d286562

SHA512
12e1f5d8d5569a0f108d38d4cf4d4cffef7071013609066900e7c0c0c89ace332622aca9b36c4a3e6baddd000fc7ef9639f88c80369b235860cd347560c02ddc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
c4f90535dacaef49fb859d3e851202ad

SHA1
c41ab6a2f576b9b3055cb992e6a6f3dc015d03c4

SHA256
65dc13062509d038b043ec0178162aab4b76a39bbfa3747bd08500a9b4a4a1b9

SHA512
d1004871d327afb8b9a033f1ff279093c87d3afb85de9b9e98804f33392aa438968c96e65754c07d28acc7400b8c64f4a0cf33e8da584519225faa6bc3c8f39f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
eaed1f671ee5b23223165da8ee1ac826

SHA1
88d38758931aa73ae6f6d5e68cc07c9a953fdb63

SHA256
2ed878813c70aa727be4cdd2ae600d25d45882327a903863374c87ca011702c5

SHA512
2c01fe851d180f0f1d0643ebc16d8f7345a6b6a20a2b676661e92c1dd616f7e803497d6681d9a63b10968425240f80398d1557ae52024fb0dd57a3f52bd6496d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
f77344eefb2ceab248584bea6e92b9b6

SHA1
3b1ea4e1caf374d7e76e126b8ac9dbd27041a634

SHA256
e92d982fa270e5aefffe00172e5d0ee945594c1b6e6efa12c09769f9f7f0b361

SHA512
ba3b6752768adf928e4e40e279903ab07e7957d8d0a18529f70e6ac380a30688d75839cd63b46a2ad29a0dcf50294a6f2cceb41f183d2130015570f17c40e7d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000009.log
Filesize
218B

MD5
80801c4a6f7a4c7cac4dbec423c3d661

SHA1
08476e2cb786d207d91e65dfbef9fab64a3a9545

SHA256
e933b70c17d4cf3bd9018aa60b1ee8832aea31b7df2fec767824eb6dd1e85fdf

SHA512
a6e4a19ea80bf450a7f3706b080d34a934ef38abdfd7c4bbf55d6828df5ef8ffabcc129ea61782cbc64e9e0c51b0f4b41fcf1d43fea4b00083b966d5cbce971b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
Filesize
247B

MD5
eed2b56453a5ef432084bb30d6516b68

SHA1
d81fb8ae23bbb6d508e2163d8c27fa8cce8e648f

SHA256
5462c420925e2cc128a79a9a789c9999c12decf063a96e9e987cfe731337a652

SHA512
8f2b566661f86cf1bb9d348064ef0d26739c659c1fd16d03411c3faa4915fda19a29d6f99750d0d9cb36ee2b6b54ae379175dbff20878b152d67f930b0e10e33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000007
Filesize
90B

MD5
b6d5d86412551e2d21c97af6f00d20c3

SHA1
543302ae0c758954e222399987bb5e364be89029

SHA256
e0b2fdc217d9c571a35f41c21ed2596309f3f00a7297a8d1ded05f54f0e68191

SHA512
5b56ae73a61add9e26f77d95c9b823f82a7fcdc75eed64b388fb4967f5c6c42cb0796b0b99dc25c89f38952786176c10d173dec7862a8a5ce5f820280f72d665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
Filesize
136B

MD5
31465d87de8e86e7872151f7aac09b31

SHA1
8d13c78a3aeea2da984212da2b0f1a6bea9e6065

SHA256
895595bc4271c9b918efe9ec69ab173c398ea1d470aec728054d2cd9ce974a4c

SHA512
68361f70cbe043aa458eae3454fdc71dd9d1f1ca3ef85c309c55c838f62335f678037b791f30fde1eadeb2e0e3c07f3f1ad0c75a2eacae1dd9b428767fd8244e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007
Filesize
107B

MD5
22b937965712bdbc90f3c4e5cd2a8950

SHA1
25a5df32156e12134996410c5f7d9e59b1d6c155

SHA256
cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb

SHA512
931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb
Filesize
1KB

MD5
97607315bdfcea87cbdb60d674c09f12

SHA1
adbf1f5d1255a6849031f1f13be3f2725b34ae31

SHA256
fe44138f5c7540ef39fac4e001c01e31dceb4bd85db2679a07d6f45853e9feb0

SHA512
c9e5c269df4bfdfa5224ed2c4e38c773b3d64f053982f9a822370a78765a37e8e422496e5fd4623f11dd40124e7d7e98d18e4bafb9293a88cef235a6f3845731

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.log
Filesize
2KB

MD5
dcce1bc555ab72de19ddbac274f89f8c

SHA1
f836bac9042a56e53ced5f68a839b9b1505bca95

SHA256
f0a1edd8b752f58939380694dacef9932a203b2a2260d485399443f7fce8887a

SHA512
c5af91fbf5d23d39d5d5108cd3e92a77c829dd80b2b7ff243530bd0fa903490adacbaebfa60faf61f8c5eb3103fd80c051a38550fcfc9831b6302f1b04e5c40d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
Filesize
250B

MD5
a5294223234c00c159ba810e56d072d3

SHA1
9644477a14ab9346806e7d631b30158f474befe1

SHA256
de15b27de8ffa2a55f2bec2856f36b5a93f0c597bcb2c93b57518c9b1df9ff65

SHA512
9dd355c3b44b007e603d664c14d3f560d66f18966dfad4e636ce00a502107b763b9f4bd1b21a473db1350d61b2194297051147e225022a87be5b430263c38a49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007
Filesize
250B

MD5
03d881fc5a4ab4013bd1b30988abb179

SHA1
9ad861569715575d7b676e5683b14dd3cffec304

SHA256
5da7b30f55f920166ad821f532fb95bd11546bf63a228fc41357aa122fcaf5e8

SHA512
29ab8ac2c642a83086266f88ffde8d71c96cd0d98812fac526e0a0adc58d8bc7f99760ad19a71cc38c3ef5edb9ab9d642ef6b665bf4ce336260b0171411e26f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b7c73600-5c8e-4c3f-8588-0e423320183a.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000008.ldb
Filesize
485B

MD5
2714e68f2e9036d986e73b16af4f66a2

SHA1
43b2c650b2184ef4b3b21d1668d1212441151b4a

SHA256
42f021afccd49b5a70c395d764705118f28f9a7312e243cd239b8a7a453380c0

SHA512
ee65b30d1e99f3c4401657abe5f3c4ed5b84a78aac7d33342973bcdd18b33a03a19e27e7316f4bcbc0087a842e23afcb4f85ab39dd7491133693aba0e66b2afd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000009.log
Filesize
254B

MD5
78f243e2f275b89be731054d21b80700

SHA1
17737836692c0951021361a44319935e2a8c5e92

SHA256
2d8cd634d35b5db3fd75023fed83ff47703b470c985c593bc22b9c8ab78eb538

SHA512
4ab6ba87f8d8794a4a64ba987e908a1cce6f1ba167979e91b24e81ebdc5dbc66b21a14f57072a08e2b62d1ecc979d152e451bf74ca9f53fda337aef6523d2b32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG
Filesize
249B

MD5
975ba3ac2c7034400097b73390e22b55

SHA1
4fcb1c6f9f7d01ad3eed8a53c01b3ec6bfafce7e

SHA256
703025b15bcb6ead3cce3a6a36e448a936e5a9e9f7823269bce691c435ffe034

SHA512
6e65148f1c72d39b38a72813e30d532c75af96462bbf5fb829878bb5fc175a2f768bed8cddfa0e8cb95b8f0f1245d502af5fc45d82872e70de2c7a4c8c9ebd94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000007
Filesize
98B

MD5
1c0c23649f958fa25b0407c289db12da

SHA1
5f6b10cd5a39fe8c30353bcf4cd4e4a60ef35574

SHA256
d5134b804a775cfb79c6166d15b5721d38ffc2da11948a6c1263595d6c2941cf

SHA512
b691e882018833a108bd286bc76c55a140d00d5a266617a3a381af1ceff01aefaef17acef29d14dec931d7051455726cde8974cd04cc07302f1c3cc452fe2f52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000008.ldb
Filesize
318B

MD5
331560a427757426d9397a1e62a0c32c

SHA1
1dc32f4a19a19318fb06413195d9a804d268134a

SHA256
908e2af465665e808647228e603ec72e111de065c06604e749ef8141762ef718

SHA512
073c476dddfe4c07a8e212904cc0cb130a694328559607fac947e64c94bed3fcdaa83edaeea84548ef3b4e5c4406469117d5b123f0af5054c8f49b84c43de1dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000009.log
Filesize
34B

MD5
fe62c64b5b3d092170445d5f5230524e

SHA1
0e27b930da78fce26933c18129430816827b66d3

SHA256
1e1a9ca70503efd8c607f9bc7131f08aba0476d75f2586dadb4da5485a5315d4

SHA512
924daccfbfb0c0464b4c5fd769e01a8f2e96fe28b635aa27ab4cd91766b05b03bbf941af14c017436107673f01bad815ce1fac2a649e745c76b3c736994b4fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp
Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000013.dbtmp
Filesize
16B

MD5
a6813b63372959d9440379e29a2b2575

SHA1
394c17d11669e9cb7e2071422a2fd0c80e4cab76

SHA256
e6325e36f681074fccd2b1371dbf6f4535a6630e5b95c9ddff92c48ec11ce312

SHA512
3215a0b16c833b46e6be40fe8e3156e91ec0a5f5d570a5133b65c857237826053bf5d011de1fcc4a13304d7d641bcba931178f8b79ee163f97eb0db08829e711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG
Filesize
249B

MD5
90c5a97e34c7a14128e920423f548812

SHA1
c569627751523ba5594ec20a3ebe3840b2ac7ea8

SHA256
906ccd97e9322c8278dba0e4977a0bb207099a62b879d226bba041a8cecfb679

SHA512
2e6e95ddcc78aaa18dd2569fe4e39092f87b078e338f3fd7e860fb586386b39c0001710e795675aaf6fed6b055d720db953359f4e27333f7fe9c3289784b2008

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007
Filesize
118B

MD5
93c1b99a4b241cf35d8f30e5bae1df5b

SHA1
1abf5139d1ec1a99dedfdeec784e21d1ab91cbee

SHA256
71d685a0815d4448ed04900527d79e826049eb8d16d3ec6937905e4d29c2c310

SHA512
346563e4f19941faf9345b64069449527c023c6a11f9ba3bbdb62649dd050801e98b1170dfd897ac1c87bbbd1fe042f19a86c26c16ef2bc0acd88e1c5655d8df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
282KB

MD5
19b22ba3fb18be628ade2d94e2ef2128

SHA1
d93577e6f223efb2ad2d2243002592b38bb3cad2

SHA256
880043ebbb3044cefa3258736039a25bc5bdd2fe23e2e542f3f9241ace9862b6

SHA512
99c2eb337e0a08d0d6eec041ad42dd31b212c72d0370e15aea18581754296717ac4f578f770a327f6c06bbc32acc77904464c8401273ffa68f5aa8b6212bedb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
140KB

MD5
04b06f6f4438d2ced233e34f347c2f35

SHA1
11f642791db619bae98ad25f5a41721e5a7cef32

SHA256
28a0766e0ee24da65ddde60043cea7d42857e4fc687dc7892e9e8817ad2e878b

SHA512
14845473b7969c9cb5a1b16d926d7e5035db84b91425a21d4e076502afce9eeaffc54da36157d7dd04dd9a4612c6eea7beb2eb03520300c3e06da41addeeb143

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
147KB

MD5
a6b9d2feb6b21091a054bee6feca1c4d

SHA1
e0d48681fc070dc228e4d5eaa30e403176aa93dc

SHA256
3ee796e15c67f0b55fd82093e1045320cdaaf129f0ecf9a30192dd8f08055710

SHA512
3afcdf0a0fdfff48f5be3c1832cd706a103e5d6e2c53eec1854cc556e1ca1ee7a6bc2c5c573f2c274cc40f068399edd3206f46a0d8586fe482e22c2867f77e4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
5185542d9f28df5878cdf25b7a037589

SHA1
8bb5ebe1fa99e61277d3862bb5b03fbffabdb773

SHA256
969286a202be827d7b08ea6c2f311269951cf7df8e51f6aa89de7ff5882a8e54

SHA512
6da4d620e264523b02ab7843b348cb41071d57512c2f9766e2585cd6b68f0b9e5eb25abdab1c66a879ae71ee2453a1db82b2aa04ab701ef329852b57d995cd91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\Adaware_Installer_UM[1].exe
Filesize
16.8MB

MD5
5b2644058500050d77d44129f27aeeb4

SHA1
1b13e206d2d565d570a33a5f8c762b7e0ad8375f

SHA256
9e6b87aed4b1458508e63be265ec1216c3b091c2f1a57d06a43e7e4149c4a94d

SHA512
746194dc89db5b436a1f082b2f7288815ca7808bbfe661649633ed7b02c7ed6b9a06806d304eb91ebe4b6d876552e39ec0b61684bb874cecc05c76829938d7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc
Filesize
800KB

MD5
70aeca1331ca54ebce0d3f0958b6c4d7

SHA1
3acdee6daef196f13ff7d3de3e5bf46b8f3048de

SHA256
882fe14fe1a66561c0b7f4fc7b56effcccc0753b793c9d2e9c794326e2c99036

SHA512
8fcde6714bbfa6b7154a8cfaf9e6ad7c9e4309474d3778e19f51f3cc52c5c563ca454bddb73ed5d529f418cb321e93af42c7b29c0a8c8eadf90468f4f244c490

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BDA.tmp\1BDB.tmp\1BDC.bat
Filesize
1KB

MD5
6c9b50f4cf86d7277619a1c614692039

SHA1
83d4d97bb4cc2c1a866d61c48a403d806bc58677

SHA256
53ed9b03e64843b1fb98fc6426aa30fdf21f84690dc91e56cf13e102278ce68e

SHA512
4c51e1f98a5249b5229df84df496dae11fd70b036dc561bc547461ad022a3acbd03065a3ec96d46f54e881a983dbed506e2c046304c5939c40d4eae8da25ba67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2020.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar20A0.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp49818.WMC\allservices.xml
Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp51066.WMC\serviceinfo.xml
Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF59F7484B0C811ABB.TMP
Filesize
16KB

MD5
1c502fd3c82c8e421ac3c9eb760f23ad

SHA1
1291e9b6ebbdda4310232d1383ecd322ce7e7f39

SHA256
7cb2f44e4d6a310f4647c25e445b2426fa283956d18f6bccb88974cc64b69698

SHA512
662575f946a1dbb98537b8a56794cd57edd1871f3cf0b35e22ddd47aa64cf2677821c768ee3415c0be070cb410fef831b6aff235b58100d22a673b242d6a6278

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
466622d9e884c6894a9a7abbe270dbb0

SHA1
fe97d082dd3de9043bf7568c11852c2fac5a0c0c

SHA256
248184c2c248ae9b3e9c859745d3561ad23e287f761d9df2e4b9c5caa63e1dd9

SHA512
a48cccc0fc065728479d23c3459306b61a5a77a7a453626e9ed6481f1c7a13bc8d2368b1a84a5639c6a0232bedb0ef788d2fd138a895f452f2df5f0b9c3899f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
0e4c91bec09a9bd7f3a57a38b9d7456f

SHA1
104f8a9e9eba691a71cd0bf18b5ae215148312ae

SHA256
56e09247ad150a4a686cf1008e47d6a49f9ea5deead1c119b2cfc02dc889bbed

SHA512
6e25334c3a7ba460c12dd1bf24cae9c14596c872b8a050b99e859f35ff25cff9fdc58a6b874daacedf9d3874d381fcbd1a3401d7c37fa14bd5b03c2285107dbd

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf
Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
Filesize
689B

MD5
860d6aaa71a3a9ed887c75e6b3507e00

SHA1
fdb554061fe66a27e80cb4166fba6fa4bda41f6a

SHA256
f9405fcd6d15a74caeb18db3e39e6f6b9bb10abf3031787decfec03d6798cd73

SHA512
8f52f5bd5c1e50dddff8cd70b39dd05ea68e7c3456b72ff868027050efae916a86cc1db51f5ba102e43a724cb57a0d252d4396066ecb51215f59c216551243c9

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
Filesize
1KB

MD5
21313efdcfc6bfd6b01b6fbc2b09e31a

SHA1
b8ea1bf5ed69a1125966b6a61c0ac88d543365c5

SHA256
1a0d234aea4ae038faf5358a274ec028b6b1cbcf158344f5d6cccbb3b70260de

SHA512
d9d2e000ff94fa4a4f451abedfa390f8039aa95daeb59593a493ce515459c56ea0e84fad32202a07960c7df244e940aef1014cc3bf875674d6407546d0a206f6

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
Filesize
130B

MD5
61ce789f7edf21e8e9ecf13147b31914

SHA1
364dd875b6a87afb6d1eff64bab156f7ea76c796

SHA256
4d48d9b7130acbe99743ee04f75edfa5f8d329108acc379942bab4e0a82f8f9b

SHA512
b6c1ea91220976f193c9fd249db3fa91facb779de575b1bfd44e59c9d9a2b7a2b259f84757bd327c8445415ffa9d2c8f341db13d4bd26414f5d71dfde126df6a

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock
Filesize
18B

MD5
cc01a4d57489ca5419e83d564878ac39

SHA1
26bb3e82e499348a21be7b6df01d60149ee11382

SHA256
282794939ea6e070e7778a9aba5fbbcc676c0b142b8c8ecdc0829f9da2e6d487

SHA512
ccd7ef43624e64160a4a0bd017191d27f63a0525627dcb80f8de1cde7b368089144f201124d1fbbdc9c8afe0d718cb46daba3667f065fde7b4f500f9d7f55117

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock
Filesize
18B

MD5
1116309a8f080aca4b1e7ed686b66580

SHA1
b087ed4c335c48a64a9c02ff7a10814ecce05e50

SHA256
c9108e3b7e4355db9b0f5e8899760691b8975307232a9434d993e389d2d929dc

SHA512
1e5703a3ee7f261a16f05cf908028992230f8f31239298156b95847a5600e1e1568daabf82c68917bbd7fe374c0c01dda70a053ee84a1a4e48661d927b93015a

Download Submit
\??\pipe\crashpad_2304_KWCDXMCNXHRXTBWH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1636-480-0x000007FEF48D0000-0x000007FEF48E1000-memory.dmp

Filesize
68KB

Download
memory/1636-601-0x000007FEF2A40000-0x000007FEF2A51000-memory.dmp

Filesize
68KB

Download
memory/1636-588-0x000007FEF2660000-0x000007FEF286B000-memory.dmp

Filesize
2.0MB

Download
memory/1636-484-0x000007FEF4010000-0x000007FEF4021000-memory.dmp

Filesize
68KB

Download
memory/1636-483-0x000007FEF4030000-0x000007FEF404D000-memory.dmp

Filesize
116KB

Download
memory/1636-475-0x000000013FBD0000-0x000000013FCC8000-memory.dmp

Filesize
992KB

Download
memory/1636-591-0x000007FEF3F70000-0x000007FEF3F88000-memory.dmp

Filesize
96KB

Download
memory/1636-592-0x000007FEF3F50000-0x000007FEF3F61000-memory.dmp

Filesize
68KB

Download
memory/1636-595-0x000007FEF2B40000-0x000007FEF2B5B000-memory.dmp

Filesize
108KB

Download
memory/1636-596-0x000007FEF2B20000-0x000007FEF2B31000-memory.dmp

Filesize
68KB

Download
memory/1636-597-0x000007FEF2B00000-0x000007FEF2B18000-memory.dmp

Filesize
96KB

Download
memory/1636-598-0x000007FEF2AD0000-0x000007FEF2B00000-memory.dmp

Filesize
192KB

Download
memory/1636-602-0x000007FEF2910000-0x000007FEF2967000-memory.dmp

Filesize
348KB

Download
memory/1636-603-0x000007FEF28E0000-0x000007FEF2908000-memory.dmp

Filesize
160KB

Download
memory/1636-605-0x000007FEF2640000-0x000007FEF2658000-memory.dmp

Filesize
96KB

Download
memory/1636-606-0x000007FEF2610000-0x000007FEF2633000-memory.dmp

Filesize
140KB

Download
memory/1636-608-0x000007FEF25D0000-0x000007FEF25E2000-memory.dmp

Filesize
72KB

Download
memory/1636-607-0x000007FEF25F0000-0x000007FEF2601000-memory.dmp

Filesize
68KB

Download
memory/1636-604-0x000007FEF28B0000-0x000007FEF28D4000-memory.dmp

Filesize
144KB

Download
memory/1636-590-0x000007FEF3F90000-0x000007FEF3FB1000-memory.dmp

Filesize
132KB

Download
memory/1636-600-0x000007FEF2970000-0x000007FEF29EC000-memory.dmp

Filesize
496KB

Download
memory/1636-599-0x000007FEF2A60000-0x000007FEF2AC7000-memory.dmp

Filesize
412KB

Download
memory/1636-485-0x000007FEF2B60000-0x000007FEF3C10000-memory.dmp

Filesize
16.7MB

Download
memory/1636-594-0x000007FEF3F10000-0x000007FEF3F21000-memory.dmp

Filesize
68KB

Download
memory/1636-593-0x000007FEF3F30000-0x000007FEF3F41000-memory.dmp

Filesize
68KB

Download
memory/1636-478-0x000007FEFAF20000-0x000007FEFAF38000-memory.dmp

Filesize
96KB

Download
memory/1636-479-0x000007FEF5F20000-0x000007FEF5F37000-memory.dmp

Filesize
92KB

Download
memory/1636-589-0x000007FEF3FC0000-0x000007FEF4001000-memory.dmp

Filesize
260KB

Download
memory/1636-481-0x000007FEF4070000-0x000007FEF4087000-memory.dmp

Filesize
92KB

Download
memory/1636-482-0x000007FEF4050000-0x000007FEF4061000-memory.dmp

Filesize
68KB

Download
memory/1636-476-0x000007FEF3ED0000-0x000007FEF3F04000-memory.dmp

Filesize
208KB

Download
memory/1636-477-0x000007FEF3C10000-0x000007FEF3EC6000-memory.dmp

Filesize
2.7MB

Download
memory/1752-447-0x000007FEFAF20000-0x000007FEFAF38000-memory.dmp

Filesize
96KB

Download
memory/1752-448-0x000007FEF5F20000-0x000007FEF5F37000-memory.dmp

Filesize
92KB

Download
memory/1752-449-0x000007FEF48D0000-0x000007FEF48E1000-memory.dmp

Filesize
68KB

Download
memory/1752-446-0x000007FEF3C10000-0x000007FEF3EC6000-memory.dmp

Filesize
2.7MB

Download
memory/1752-445-0x000007FEF3ED0000-0x000007FEF3F04000-memory.dmp

Filesize
208KB

Download
memory/1752-444-0x000000013FBD0000-0x000000013FCC8000-memory.dmp

Filesize
992KB

Download
memory/1904-460-0x000007FEF5F20000-0x000007FEF5F37000-memory.dmp

Filesize
92KB

Download
memory/1904-461-0x000007FEF48D0000-0x000007FEF48E1000-memory.dmp

Filesize
68KB

Download
memory/1904-457-0x000007FEF3ED0000-0x000007FEF3F04000-memory.dmp

Filesize
208KB

Download
memory/1904-458-0x000007FEF3C10000-0x000007FEF3EC6000-memory.dmp

Filesize
2.7MB

Download
memory/1904-459-0x000007FEFAF20000-0x000007FEFAF38000-memory.dmp

Filesize
96KB

Download
memory/1904-456-0x000000013FBD0000-0x000000013FCC8000-memory.dmp

Filesize
992KB

Download
memory/2468-709-0x000007FEEF810000-0x000007FEEF85C000-memory.dmp

Filesize
304KB

Download
memory/2468-2004-0x000007FEEF810000-0x000007FEEF85C000-memory.dmp

Filesize
304KB

Download
memory/2624-433-0x000007FEF3C10000-0x000007FEF3EC6000-memory.dmp

Filesize
2.7MB

Download
memory/2624-426-0x000000013FBD0000-0x000000013FCC8000-memory.dmp

Filesize
992KB

Download
memory/2624-434-0x000007FEFAF20000-0x000007FEFAF38000-memory.dmp

Filesize
96KB

Download
memory/2624-435-0x000007FEF5F20000-0x000007FEF5F37000-memory.dmp

Filesize
92KB

Download
memory/2624-436-0x000007FEF48D0000-0x000007FEF48E1000-memory.dmp

Filesize
68KB

Download
memory/2624-428-0x000007FEF3ED0000-0x000007FEF3F04000-memory.dmp

Filesize
208KB

Download
memory/2824-613-0x000007FEF5F20000-0x000007FEF5F37000-memory.dmp

Filesize
92KB

Download
memory/2824-612-0x000007FEFAF20000-0x000007FEFAF38000-memory.dmp

Filesize
96KB

Download
memory/2824-610-0x000007FEF3ED0000-0x000007FEF3F04000-memory.dmp

Filesize
208KB

Download
memory/2824-611-0x000007FEF3C10000-0x000007FEF3EC6000-memory.dmp

Filesize
2.7MB

Download
memory/2824-609-0x000000013FBD0000-0x000000013FCC8000-memory.dmp

Filesize
992KB

Download
memory/2824-614-0x000007FEF48D0000-0x000007FEF48E1000-memory.dmp

Filesize
68KB

Download
memory/2992-468-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2992-474-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download