asyncrat | 76d4ee5ec5ccfe4ab753df085bd6ff3a8dec2dc74b1d4f2f0c4e383ff76259fe

Analysis

max time kernel
629s
max time network
630s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7oQoGzh.txt
Size

10KB
MD5

f9f5ed4701f42db8220e2475fb7acd4b
SHA1

0c6a26d6dc514f0ef6caf2e318b0ff4beb714b3b
SHA256

76d4ee5ec5ccfe4ab753df085bd6ff3a8dec2dc74b1d4f2f0c4e383ff76259fe
SHA512

7e11a18779d077aadae48570136f87ece6a070cd11f0555e5a687f486d82841bb72bcf82ae54d0320e311c2c43c6dfcd766b28f0d43c631aa75863aecaa13b3a
SSDEEP

192:VbbzEdixAkWQwtCNyX5JAu3e566uPoxKgWPH82gk2g7gQKFahi8v:VbU4uCNyX5JAu3e566Hx6f82gk2Mv

Score

10^/10

asyncrat stormkitty default credential_access discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7534732680:AAGepsn4HrNe3W88LNfeFn3aKvtq3By33sU/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\sss.exe.crdownload	family_stormkitty
behavioral1/memory/2708-105-0x0000000000700000-0x0000000000732000-memory.dmp	family_stormkitty
behavioral1/memory/2808-845-0x00000000011C0000-0x0000000001258000-memory.dmp	family_stormkitty
behavioral1/memory/5032-849-0x0000000000740000-0x00000000007D8000-memory.dmp	family_stormkitty
behavioral1/memory/4848-850-0x0000000000600000-0x0000000000698000-memory.dmp	family_stormkitty
behavioral1/memory/2396-851-0x0000000000FC0000-0x0000000001058000-memory.dmp	family_stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

Optimum.pifOptimum.pifOptimum.pifOptimum.pif

description	pid	process	target process
PID 4424 created 3416	4424	Optimum.pif	Explorer.EXE
PID 4424 created 3416	4424	Optimum.pif	Explorer.EXE
PID 1536 created 3416	1536	Optimum.pif	Explorer.EXE
PID 2248 created 3416	2248	Optimum.pif	Explorer.EXE
PID 4452 created 3416	4452	Optimum.pif	Explorer.EXE
PID 4452 created 3416	4452	Optimum.pif	Explorer.EXE

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\sss.exe.crdownload	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NorthSperm.exeNorthSperm.exeNorthSperm.exeNorthSperm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	NorthSperm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	NorthSperm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	NorthSperm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	NorthSperm.exe

Executes dropped EXE 16 IoCs

Processes:

sss.exesss.exeNorthSperm.exeOptimum.pifNorthSperm.exeNorthSperm.exeNorthSperm.exeOptimum.pifOptimum.pifOptimum.pifRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

pid	process
2708	sss.exe
1604	sss.exe
4616	NorthSperm.exe
4424	Optimum.pif
2104	NorthSperm.exe
1300	NorthSperm.exe
732	NorthSperm.exe
1536	Optimum.pif
2248	Optimum.pif
4452	Optimum.pif
5072	RegAsm.exe
2152	RegAsm.exe
2808	RegAsm.exe
5032	RegAsm.exe
4848	RegAsm.exe
2396	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 15 IoCs

Processes:

sss.exesss.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\bd1f16ba316d7cd527ebc9126617303d\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	sss.exe
File created	C:\Users\Admin\AppData\Local\0993adca3a05158d4947d12883e78d74\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	sss.exe
File created	C:\Users\Admin\AppData\Local\0993adca3a05158d4947d12883e78d74\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	sss.exe
File created	C:\Users\Admin\AppData\Local\bd1f16ba316d7cd527ebc9126617303d\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	sss.exe
File opened for modification	C:\Users\Admin\AppData\Local\0993adca3a05158d4947d12883e78d74\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	sss.exe
File created	C:\Users\Admin\AppData\Local\bd1f16ba316d7cd527ebc9126617303d\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	sss.exe
File created	C:\Users\Admin\AppData\Local\bd1f16ba316d7cd527ebc9126617303d\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	sss.exe
File created	C:\Users\Admin\AppData\Local\0993adca3a05158d4947d12883e78d74\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	sss.exe
File created	C:\Users\Admin\AppData\Local\0993adca3a05158d4947d12883e78d74\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	sss.exe
File created	C:\Users\Admin\AppData\Local\bd1f16ba316d7cd527ebc9126617303d\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	sss.exe
File opened for modification	C:\Users\Admin\AppData\Local\bd1f16ba316d7cd527ebc9126617303d\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	sss.exe
File created	C:\Users\Admin\AppData\Local\bd1f16ba316d7cd527ebc9126617303d\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	sss.exe
File created	C:\Users\Admin\AppData\Local\0993adca3a05158d4947d12883e78d74\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	sss.exe
File opened for modification	C:\Users\Admin\AppData\Local\0993adca3a05158d4947d12883e78d74\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	sss.exe
File created	C:\Users\Admin\AppData\Local\0993adca3a05158d4947d12883e78d74\Admin@HVDPCYGS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	sss.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

72 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
72	icanhazip.com

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Enumerates processes with tasklist 1 TTPs 8 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

3480 tasklist.exe
1560 tasklist.exe
4800 tasklist.exe
4252 tasklist.exe
2796 tasklist.exe
2160 tasklist.exe
4884 tasklist.exe
4904 tasklist.exe

pid	process
3480	tasklist.exe
1560	tasklist.exe
4800	tasklist.exe
4252	tasklist.exe
2796	tasklist.exe
2160	tasklist.exe
4884	tasklist.exe
4904	tasklist.exe

Drops file in Windows directory 16 IoCs

Processes:

NorthSperm.exeNorthSperm.exeNorthSperm.exeNorthSperm.exe

description	ioc	process
File opened for modification	C:\Windows\ConferencesInto	NorthSperm.exe
File opened for modification	C:\Windows\AnchorAnnotated	NorthSperm.exe
File opened for modification	C:\Windows\GamblingCedar	NorthSperm.exe
File opened for modification	C:\Windows\AnchorAnnotated	NorthSperm.exe
File opened for modification	C:\Windows\AnchorAnnotated	NorthSperm.exe
File opened for modification	C:\Windows\CheckingReliable	NorthSperm.exe
File opened for modification	C:\Windows\AnchorAnnotated	NorthSperm.exe
File opened for modification	C:\Windows\ConferencesInto	NorthSperm.exe
File opened for modification	C:\Windows\ConferencesInto	NorthSperm.exe
File opened for modification	C:\Windows\GamblingCedar	NorthSperm.exe
File opened for modification	C:\Windows\CheckingReliable	NorthSperm.exe
File opened for modification	C:\Windows\ConferencesInto	NorthSperm.exe
File opened for modification	C:\Windows\GamblingCedar	NorthSperm.exe
File opened for modification	C:\Windows\CheckingReliable	NorthSperm.exe
File opened for modification	C:\Windows\GamblingCedar	NorthSperm.exe
File opened for modification	C:\Windows\CheckingReliable	NorthSperm.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exechcp.comcmd.exeNorthSperm.exetasklist.exeOptimum.pifNorthSperm.exetasklist.exefindstr.exechoice.exetasklist.exefindstr.exeOptimum.pifcmd.exeRegAsm.exenetsh.execmd.exeOptimum.pifcmd.execmd.exetasklist.exechcp.comnetsh.exefindstr.execmd.exechoice.exesss.exenetsh.exetasklist.exefindstr.exeNorthSperm.exefindstr.exefindstr.execmd.exefindstr.execmd.exetasklist.execmd.exechoice.exefindstr.execmd.exetasklist.exetasklist.exechcp.comRegAsm.exechoice.exeRegAsm.exesss.exenetsh.execmd.execmd.exeNorthSperm.exeOptimum.pifcmd.exefindstr.execmd.exeRegAsm.exechcp.comfindstr.exefindstr.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NorthSperm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Optimum.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NorthSperm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Optimum.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Optimum.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NorthSperm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NorthSperm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Optimum.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

cmd.exenetsh.execmd.exenetsh.exe

pid process

1556 cmd.exe
1756 netsh.exe
4184 cmd.exe
1536 netsh.exe

pid	process
1556	cmd.exe
1756	netsh.exe
4184	cmd.exe
1536	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sss.exesss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	sss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	sss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	sss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	sss.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133684007649840741"	chrome.exe

Modifies registry class 58 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000af522a6dd7e4da01e92869d7e2e4da016d1777e9e5f0da0114000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2188 NOTEPAD.EXE

pid	process
2188	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exetaskmgr.exesss.exesss.exechrome.exe

pid	process
4688	chrome.exe
4688	chrome.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
2708	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
1604	sss.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

chrome.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

pid process

5008 chrome.exe
2808 RegAsm.exe
5032 RegAsm.exe
4848 RegAsm.exe
2396 RegAsm.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

4688 chrome.exe
4688 chrome.exe
4688 chrome.exe
4688 chrome.exe
4688 chrome.exe
4688 chrome.exe
4688 chrome.exe

pid	process
5008	chrome.exe
2808	RegAsm.exe
5032	RegAsm.exe
4848	RegAsm.exe
2396	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exeOptimum.pif

pid	process
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
4424	Optimum.pif
4424	Optimum.pif

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

chrome.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

pid process

5008 chrome.exe
5008 chrome.exe
5008 chrome.exe
2808 RegAsm.exe
5032 RegAsm.exe
4848 RegAsm.exe
2396 RegAsm.exe

pid	process
5008	chrome.exe
5008	chrome.exe
5008	chrome.exe
2808	RegAsm.exe
5032	RegAsm.exe
4848	RegAsm.exe
2396	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4688 wrote to memory of 2176	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2176	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2852	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2220	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 2220	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4548	4688	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416
- C:\Windows\system32\NOTEPAD.EXE
  C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\7oQoGzh.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa4777cc40,0x7ffa4777cc4c,0x7ffa4777cc58
    3⤵
    PID:2176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1764,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1752 /prefetch:2
    3⤵
    PID:2852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2456 /prefetch:3
    3⤵
    PID:2220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1604,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2616 /prefetch:8
    3⤵
    PID:4548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3148 /prefetch:1
    3⤵
    PID:3036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
    3⤵
    PID:4780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3680 /prefetch:1
    3⤵
    PID:3696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4720 /prefetch:8
    3⤵
    PID:3652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4752 /prefetch:8
    3⤵
    PID:452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5004,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4828 /prefetch:1
    3⤵
    PID:4272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5300,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5316 /prefetch:8
    3⤵
    PID:3400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5324,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5360 /prefetch:8
    3⤵
    PID:4388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5204,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5308 /prefetch:8
    3⤵
    PID:3428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3872,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5320 /prefetch:1
    3⤵
    PID:4208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5408,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5600 /prefetch:8
    3⤵
    PID:4544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4752,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4852 /prefetch:8
    3⤵
    PID:4600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5124,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5360 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5480,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5460 /prefetch:8
    3⤵
    PID:5024
- - C:\Users\Admin\Downloads\NorthSperm.exe
    "C:\Users\Admin\Downloads\NorthSperm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4616
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Surrey Surrey.cmd && Surrey.cmd && exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:364
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2160
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:4884
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3972
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 719580
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:404
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "copehebrewinquireinnocent" Corpus
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Utilize + ..\Verzeichnis + ..\Built + ..\Vessels + ..\Cradle + ..\Jaguar + ..\Comics + ..\Flux + ..\Liberal f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
    - - C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif
        
        Optimum.pif f
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SendNotifyMessage
        
        PID:4424
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
- - C:\Users\Admin\Downloads\NorthSperm.exe
    "C:\Users\Admin\Downloads\NorthSperm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2104
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Surrey Surrey.cmd && Surrey.cmd && exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:4420
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:4904
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:3480
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 719580
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Utilize + ..\Verzeichnis + ..\Built + ..\Vessels + ..\Cradle + ..\Jaguar + ..\Comics + ..\Flux + ..\Liberal f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
    - - C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif
        
        Optimum.pif f
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1536
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3196
- - C:\Users\Admin\Downloads\NorthSperm.exe
    "C:\Users\Admin\Downloads\NorthSperm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1300
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Surrey Surrey.cmd && Surrey.cmd && exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:928
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1560
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:404
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:4252
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 719580
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Utilize + ..\Verzeichnis + ..\Built + ..\Vessels + ..\Cradle + ..\Jaguar + ..\Comics + ..\Flux + ..\Liberal f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
    - - C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif
        
        Optimum.pif f
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2248
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
- - C:\Users\Admin\Downloads\NorthSperm.exe
    "C:\Users\Admin\Downloads\NorthSperm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:732
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Surrey Surrey.cmd && Surrey.cmd && exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:1436
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:4800
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2796
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 719580
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Utilize + ..\Verzeichnis + ..\Built + ..\Vessels + ..\Cradle + ..\Jaguar + ..\Comics + ..\Flux + ..\Liberal f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
    - - C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif
        
        Optimum.pif f
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4052,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5696 /prefetch:1
    3⤵
    PID:4500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5572,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4852 /prefetch:1
    3⤵
    PID:3608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5820,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5808 /prefetch:8
    3⤵
    PID:1724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5924,i,14183418496776346306,9772930851972256871,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5952 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:5008
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3464
- C:\Users\Admin\Downloads\sss.exe
  "C:\Users\Admin\Downloads\sss.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1556
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3876
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1756
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1408
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3856
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2680
- C:\Users\Admin\Downloads\sss.exe
  "C:\Users\Admin\Downloads\sss.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4184
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1316
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1536
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1484
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4060
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2712
- C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5032
- C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4848
- C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2396

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0993adca3a05158d4947d12883e78d74\Admin@HVDPCYGS_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\0993adca3a05158d4947d12883e78d74\Admin@HVDPCYGS_en-US\System\Process.txt

Filesize
4KB

MD5
211ffe9dfe23eb12fb43f05fb4a44876

SHA1
48fd84de809efffc880414aafeee7625ec8497e4

SHA256
a6088a6142f7c2edffaf7ea252e365ec785ae4b11c9d4a106e58f3149928a29e

SHA512
bb5855844d9d145d9c88e2dd04e36af9a3c70c3c1071e32e9aea72fae7fc7e05eb30c3deaeb3bc41383da040dc730f2b5b47c7130c5e393d14e90e8f39ad4b9f

Download Submit
C:\Users\Admin\AppData\Local\0993adca3a05158d4947d12883e78d74\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0a0d986d-8aaf-4ea1-a51e-fd5c301b0044.tmp

Filesize
9KB

MD5
1509162cbeaf7ee53e8f539b53a9b938

SHA1
5ad8a3a4ca0f2d086373d0b72125171642e63ffc

SHA256
cc2dfe582c47a984d0d1487bd1967824db6920592bbeb4a2882928c958fff5e9

SHA512
48a286d109c0a828ccd8fe5d3fa7990d0ce98c1fceb98edf1a8a7b323e6a6edad5dce275b5245f629b97d86dfe6f3233eca0625d09a55f3657523e8418e22737

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\718214aa-a04e-403b-96d0-735a5b2e7ebf.tmp

Filesize
9KB

MD5
7e02109d5b4be979aa522038d2a56965

SHA1
59093bd6096c50a5122b629fc6a2feac579a7a89

SHA256
bb9a27034b74fb208a5ba875db442481f2b063e43cd0b6c4bf10b9f3a3209e7e

SHA512
ec765d523bed67b4cbd05a5ab0e7c8d3d2c36614f8485db8bbd7b2c61ec01b5d853d7b231bf4c35f3870674b1b67768931fdd065f004db29986a2d3b93fe0edc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9bccc27c5acf56cf85196494ad2526c7

SHA1
fa3f3821641a400761307fe1701eb3830994c5bc

SHA256
512700b218f19e69544389ddeeadb881e9769cf99830b0e05a3c90ea60b79c06

SHA512
7ce8755a7921034bb922ebd585b75b6a6cd47e5127db33e4225837e12e6a25c6b0e386b8c21650a842c511f89106e0aef2a0eed5d49ec43cddee6603585ee031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
353d986767a1359200a388eb38f64235

SHA1
b218e716a0644c7c7f16e721dc55a26eb28edea0

SHA256
727d6f8341208e83ebb0e8208038548172518f5e1ecd05277db9ef6f37ae56d8

SHA512
c77bc357200ccd0cdff010f4f9f353a5b9068f8e0678643a3214cedacdb463246eb6ff72e35a4d32e39995182a6062ace242ae17e3a6a26160ef1ddaafae273b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
0cb675a4ed1809e57b83463bcee5c463

SHA1
6527033fd48aab1962099580cb1176d7a8e6ce76

SHA256
8f6ccd57db18c72161e7f8816a7fcf84d18aa080ba64c42c343abfad35a5b4c7

SHA512
7932078d0da86b51ae4e1c7e5b944d5e572625f3d2c279196d1aa99506a3dc82b7ed7b1e9047f1a654038c7c39b57f33d7ad282ed840ae189020e2a9256197e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
307def53f913f8589182df4a4e34f333

SHA1
4d574833d2fe6678faede3c1c7f85cb39c6624af

SHA256
a6a1b654f0f1ff32d4316d0cdfd18c05ac63f68603cf08abf7608121a4960722

SHA512
f03f53a14addc7a728a0e6ae39a9b4160ff52126018feff55b563d18da08ec1ada4c87bbb6bfb47680fc2e359155f9b82d8d5ceb2438aad16e164a5a828a517c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
fa88458a5d058206d5723643dde8fcfe

SHA1
390158f0a6f03f7c88308c892006f81bc00e797d

SHA256
9d98f737b36c7fd7740cc826548ce0e9cdf686a0a9040b6e9c95478a05abffc7

SHA512
6900fb3504fbc3e2f7215ba5c857c6f36515dbd4d8c3a72b844eec6376b4fac13c1f6db670b49ee18b4f181919a66194f8f2c7b717e50fd761be7a39057e45ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
e04c015b79192ca436393075afbddccc

SHA1
f485f83b881b92374e73e965581701ef91ebe955

SHA256
e5b3ffc3ddfa40287d8031a1a87ea12bb09112755441b98d5730011720b97ea6

SHA512
35c2c61c5fd4fdf4740253d8f1c454e01b7a4e790222c83e561015a2c3065cd3ffc02fcbe86b1d1e0ba715397201eb2834c6292b9d45255ccf83cff5b337ba30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
07aae043233053730eb8086ff6aee627

SHA1
e27de5943568a1bd9613ec28aa72a67f28d1ed7b

SHA256
cd1412fcfde16a047989d4c2465c0ef0a17465ecb5206823ba251d0bf433c151

SHA512
83db3311533481b2dae2526ddcd82c0c62bf2f4655f4fce301a7841564fd792910c6276161cec6ceb3a936f8bae6318d53209d7093d8c4827c867b7774231432

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2e371a46d0ced563ec723b06cc49ee03

SHA1
99e9418e2ab211260032f1e08ffda4da7766810f

SHA256
d750b22196c59e03ad5b45f9de1e5f3753471c1c5288333bf877832e00683d0d

SHA512
c1a5eedd58bf4d8dd068df41b1e0aeb08394727f62438161c76ed7613ab425f6c7de3282cd33894548357d3ef5d45c7260c664c6888dfc12c6c433e09f6e29f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
7715e1d21e4e60359314c0a1aff5c967

SHA1
c8d30d14779b2b823fab150e6241cd9f030e41e0

SHA256
9070fbd35fb07de328fad1c8b1dc1c40d02e0a4427dfc5653398b85fea394f91

SHA512
8339421bf8621653bdb800920afb92be27d102d9865fd4963eb96d33141baeef5d6237338eb11dbcef79c9484fd5d068f13b87baaf30de70a0a2ef38dd790176

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7a76fbb06d8d2a628b88797d7e2fa5c9

SHA1
f59cba8fc034ee693a09b704cbdbb72773f7ab58

SHA256
4bc5b11fce78109b62bcf18305e548fdd7a46c2a47bc3b36f2b9cd09448d096c

SHA512
95469dbd84949bda00924e2bf05a578c88de0a47545b10f3199904161a67af9e7599234308075f3a075490655c3eb22d1dbb96c26fcb6af6944c0abcc680b424

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17c76f601d914f0fc293ec3fe53f477a

SHA1
5e9a0cfe89d55020cd4dd2475a4dbf5c8cf9409c

SHA256
f660e7e497a432819dbc38ec211574af9189b30eabbe0eef478439561d209cfc

SHA512
ace81b6e482b351a9a8203601309d552361e9c1972109dca66f12cfd43d8814d8f5e71a3ce1613e5eb71cd8715bb01f4c5bb7153106f4c2837a780bcc50e8054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a54ca5a4964d1460d04daad12ad1656d

SHA1
bd344b209e9d0e6909720496cde284476ce37955

SHA256
2174cdb6ede7b608cd54d5a027b29dbaa8ee208a309a08b69a6e1af3b59da255

SHA512
caef1505d072439f5136901d52ad8f6f8c60bc5ecbaca94440f57be2c3c5790286c4c7c02a92edb1a3c2f14cd78ed92846d52f476f4b486fc385088c40c526ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
70daa1de1c6b02a13f6973e2208937e1

SHA1
e6aa7e58f93f6461717e20a007c0da53e580e566

SHA256
8116bd109e5f348f54741c207690aedd5b5ef0c25ce3f10ac14d158ccb8fd43e

SHA512
aec353228918512ad396b92a150eaafe5d65bf6047212c97d2333ab1ed22c00ddb6ad1011e7e3ab6dfbb497e0f37ccfdb0c65ba3bf745358c3c85f794ba423d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fcc1be637efc374bb16511f9329d2f9b

SHA1
9b5afe27c8ae9bcf652d6d9f6c0848eeff86baf0

SHA256
d11aab555e5ea905b096ddce867fa732f3bd8bbe5cec8bcadb69ac403ca7f26a

SHA512
00811827964a169aae5021ddc9f5ccb0cfa94d7e96d8c448109a065b173685210a74c430a9e5bd4789f1f74676b3c4bb962c6a4417f293672aedfa8e2ec319fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5584b8bb56a5ade13032d2b05fbbb91c

SHA1
4010edb352b602749aae1edb02eab33153588355

SHA256
66cd38c5746c68c2a63352619f5213ad3efe6becac49553254d7cb1c7a54e474

SHA512
0ae0f2582397e27a09f846ad4d7ce047b310a95093e92f21265726825d02aa9e5e2a75e8ef1413c935ffea2229e364ce00562a431e8a85dc1f8aed15039e6ec8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0357857bf48be48e2ce084553c6ed6bb

SHA1
d5f5fe1364e6be20c195e4b836da966fe2d5d7c1

SHA256
3643784c6fe7e8b9fdd92fbdc7942ece8b36ac89e59e849a48ac2fd28d4cb3e4

SHA512
016f339be66a6277f57db2bc2c0520cfa992327d5c8b34ea16b0a690765960d1cac1f06007ab0ebdbf20b0e80db8d303ef96098b97ed40115416decc5245f7b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
855498f42781e39bc5d0f2193b9f6e42

SHA1
f01d0891d21bcedaa42ef7398ff09865f1e6df95

SHA256
3057b536743cd0f7c5fb39f63f8ea94f0175ea2b1e66359b4bbb06781e81603b

SHA512
d82ea2666be26ebda41ab8cbfa2a3e04141f6b508afe93770c31a78ecf3b9811689e3b98e93bb92332baed3aa82f3f4737b9d796c49915ed808b6bdb96373bef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d5cc04f23c885c623bf296473f02e6d2

SHA1
55addfb8b7ea03d9045aac30ec464f8f8d044231

SHA256
17dc4ae3ab79aa17028b2be22dbdefc3130478cfb4ff119e28630aca45c902f6

SHA512
acfdafb964e60e3da86e8e337ec07b55ad3ed489873e0ea0f453c13755791df02c6efc337f12d393ada7e296c05136343d5684f14630ecdfca38addf1dc5b383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a537af575751978c03709ffe70a96457

SHA1
aeee79416fa86b5b45df7dd80198789e762753e5

SHA256
18d070e668c5612ef647245647a34cfd6fca014111ef0efed1736a4322ba7a37

SHA512
e8167025950024c4d7350a7d71dcaf56cdf9869f974598abe5ff49e623a716df4d529d7a7f95fd2294aeaab8f20eef0dbe42bf7d7b58b238424bcd024b497307

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4f42ec48377e05a5b960dceed93d2f80

SHA1
be46efe8ab065117bd7cf982de120051204977b8

SHA256
1757eb3918bb0a8be818fe15cd80b459bd6bdde5f634ce165ec8a2cdaa6f2646

SHA512
05e69bf9bf71fedc17ca272bf3e69a80d8759b02b9ccaaf19700b1d0d867c856e5a6360c178a0c02a66221a5513e0f90c585e00ac9b44935113f449cf04b6357

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2573edec886ca75e2d02e76c36fce52f

SHA1
f8a22a247e2eac31a2641719afa45a5c4e4c10cd

SHA256
07abd00a587c3fcc86de4fa08712f6f54823528c2157a8ad0d8ae4dad82ac66b

SHA512
7073c9bb2d26369fee700d5ead502f076eda87750f86d4a0f4dae38458d4bf50f2a4e11372dd07faef053a2cf77ae696bce8d6d606eade01201922391d8614c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f41a8b1294c51f31b9124ffee35f414a

SHA1
80324e85d5f669d1c16bd1da3041e107803f0e54

SHA256
e1a0c70c46b5eb88efdca4adf70ed16b7b165936374621e51b78dc5b1fa586c5

SHA512
15d2529d84d81279950200fe0a4c1700d2650f19ef0fe35bf13c3038ee67231ea0a3f08f576f263ffcb42f8c3a092ce731eb17ffd843ce22a233fc1ec25ecf23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
aa0612da9222ccdf27e3c49b3320c396

SHA1
aa0545939a9b09342ea89c8c0bb7ca7dfbbe7473

SHA256
54dc91881211ce1f6edf775420fc1052371e89ee70d2ad2ea1e6cddb523aed06

SHA512
6470a0af4eccc12136983eb472c0d9c3ee4b5d1b086a057386523df0654c9cd75c79718bcbfa9e6d454e1c8298b931513bf3fc4231ce2cee43ff54bb643a48d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c50f420a6f98b9ea22f3c61c3909af27

SHA1
74df161ef50965d75a6cea1e11753d82bdd17832

SHA256
b56634b43d2e2facb9d1d9a7ccd0c691b22e8e4714e05093f0f08d373c10b6a0

SHA512
3133d8e7e7e425cfbce1f7fa928c098a26d88c491697ffa72d6546c6d14e7abc0a3045f862605dcddbbfcfe6fcbcd475c49f960b1e1f139bd6b7719513847e2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2011fa45b8f0fa97ebf0cc16ec5625b9

SHA1
11f031a98f2d32e5fb8feb93bbcc57cb5f1c6843

SHA256
477ddac575bd9ec0f91219ff9413cf326eddcaa2b969eea1789a26d131ad8a13

SHA512
6fcd2b062ba49dec38e3f8ff6ab192ce045ece38cd6f28f6fa6735fbd521871a9be7ea48d942a10712ac234b7e33c53c350bf671c3e57c9779c05e2749161755

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
491d36042a970ac6692ce205ee9b6571

SHA1
47a13c2df5d9c7b7628cc2b16c718e4fa8709510

SHA256
cd0f06784d00f30c90dee12552090726a195186e27d57acbf099f41620e4a57a

SHA512
e8eb74fed8a0612e46c9d9dfa568702f4092498441040198e8f00bc7d065a1c9ee0bccef3c08fe3bffce1c8a6ba359196b2b7b2cae452df13f522b7df14a93d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
13389268260a627a29e2f136ac7366b9

SHA1
6cae18273c74d8f682931572cce2648d71402f0a

SHA256
06353ce56ef4d3866233d06ca4b08f5de869ec5daa9c6c22286f8eda8c291a80

SHA512
12e64bd86792ec2cad81de8d16ec8a9174fa68d029ee236e70003c7bd0d4b4cb0215ac1a23f8f1b3eb6cc91a156e6b4041d37713ea5fd6f40804ea68326f6ff5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
566d4d4504d55da445927e4b7d01005e

SHA1
a0a49292390d3f47282797449d4a40fe94848a7b

SHA256
79b0c195b253448ba5facdc9633e00b4aef6c300f8b43d4e52781a522f3b6e26

SHA512
1d9b2634b86f136b9cc85e33b7808f9fe62842a778b44cff5221208e7441eafcd0b91e8ddf8024f8adc4c73acaa8dce57093fb63ba27540c156f1b0f9926b3c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
80f77d085d09a6c72336b8dd9e48b31a

SHA1
29dc3141917f4d8a47a0fc9d5158fcec6abeb13c

SHA256
6af79ce252a635c932c3c0b9353d730f331b4e68a5657860f4d6bb629add124f

SHA512
9d1994da6ba068af26ed8ce786499f9e2b62e6161233d1684d4f348ed630d2dc45b706919d42f0e9c2b5d65b7f1947cbad72bc2e332d35f4582a494e3fa96546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a1b1c9971b60a40b76d017f4405d9a27

SHA1
bda51020a1a6fd039dc42c5fbed9f6d3d748d27f

SHA256
b2f87fea2044993ad8addd0a45dcb711d20c93d079b6e89f647cf0e82bca7e5d

SHA512
ebcb761f32cc24e2f126dca3b2a75603f50189023496bc6a90b4d7808a9bb2e573a14257507340d9b331c70731f3b4c2d194807d497dab29f4ba7b769f7a91f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
831aa3b5fd8542d10c32288317cdaaa3

SHA1
ec6d293966c42796d0a58b2ef474dd5cc98f4a69

SHA256
f77df05cdcacc6b41ba4e4a8c99fd7b9733611e05b7eae8830d6ff9a692564d3

SHA512
2885b302fe5a5360d89afff57ac4c38a567d0e1da732e55c91e5ff7d06a8b2a71fe7b33844a06d31d289302da6118c8b5af802c7e8073a31e6fe81f246d0f8bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c456073baeaebafca1273f5b928bb455

SHA1
faaf55f914aafee8d7a39745b992afe6044ea1bc

SHA256
bbb10c1c0b8a2ff769facc39869bf7552bed9075acc0aa671c9ae177056b3b06

SHA512
3d12daa0a30d48c6d4b20b4021d1999a3e96968ec5e7657656389ea7b8ab9e6e229be64a2b23a42297160bb84e835ee0d5b9b00bf7e874725787f63f38876f05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
70546f417c8b335d0d2737671a931a3a

SHA1
063bddc69f8ce5b84f2e3daea584f23b0f74d10c

SHA256
c75540fe28ba11f8dc4876489bc9f3dc0131ba37228f753da6cef4e86e900f4e

SHA512
2bd97ce77bc59f92fc4d6e59f2a653464b4cff032db0734e71a4a9a600ba48ff0132b446230113270f851ec342e076a2d2a2f84ce263d7e65a84c392f2f3e8dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
db6b2d15c4dc37dea9fa2fc9bab104f7

SHA1
25c84fa591769c05debd90b15e4cf12fbafb05d4

SHA256
d899ef8639b55c9c948a7bdeadfbea5e2ae9178614a08b70c9624282404e842a

SHA512
17036f8a655903f7c4e76b6271d32788fc425eb1ce174e458b8642df8175b9ea79f850fbae6ee0864b7b51ff41a02645a39d815398e0f48e0af8f62d258b28a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
20d1ccdff8ea4115bf5b0346345c5b9a

SHA1
46fcfb092207f98e676f10b0f135d7f53fbcfff5

SHA256
1cac38d83409ea6291ecaa828aea0b1375b8784e4743a216bde476ea9cd777d3

SHA512
ada90e856bd2505b8529e6e5d1f68a062fb01d3901de91b36e030575e80a8c1417404c501e9a0776cf0c487e307f0ddef8ba13846d5047a4d249f516d962daa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
54f3cf5347884e0dcc72d7572e35b847

SHA1
d781cd321de64e3ae7a202783402407b5444aa1c

SHA256
a0d5c5ac3406243cc99e2c7faa13431743c90001b23447eee80bc9e991f85424

SHA512
b53f745cb86f3083db860cbef74c671d7a11d0afad2d8e669ceea0d710234b45938336c8e30cef65b9028beb55f8cde6b2fbf20dfca0c04aa3d8215fd8c6bdcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
78a70bcedaf47db691ba81dc290f810a

SHA1
d6a6cf732a42a3c5646b0c1a62dc3934ad3be9d4

SHA256
cf703985f739525ec43aea69f783f8f73bc1436f666d6fcdbe8cd3f06a541aab

SHA512
225f8b632e04a660aef2bbcf4d40e8e536a6ada19bf118475500a03348b18d4649f75f725a476a53df529af699def5aed23d181af906e5f612177bd5acbd7ae5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
158edae8646b3959e338d02771e15f4d

SHA1
bcf13b8a100d79f7a4561486509fbca76bff5ebe

SHA256
176266943c9570e09f1c004d116bf744c8b2be7b37bd63c04f612742866bbc98

SHA512
e3876b5b872727fd618ba7967208927b9a579074b330d6fd6e2bb1e74f71202df376e9da1dd9864543196f41a1201e109b17e903199df34335a7791622af6a33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7249621bea01f14211396cbb852de618

SHA1
3e6ac60906b53161e6094ed47333b5775dc9d668

SHA256
ada72ac7864791379204e2d76725b696c6dbb0672cd8e0fde00cde0ef4d79499

SHA512
50810e341f0fdc52a1ee2e4d43cf8b38995826e53d735675d980e24abbd30e577bec796dc85fab67b6257c5f3c0c5fd8fdc33c177a00eb130146eee7de8244d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c52227592761b590df712415e0f6d9a4

SHA1
19af8c9c66e290b9420bbe05db2997c2bba3d3d4

SHA256
4e9bc0eba76a587a641e357f2badfa8c7260a65006dc20bb95676c58486b057f

SHA512
f14aa357cf04187625861fb4756d86113ff187f403c34dbf38fbd7725fae4373564699610539a3a1275a62ecfbff8b261b5ee25f368893aa736d73a92f3627b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
03027b87b50ca0e0914a2028674b46a5

SHA1
edec40e034a3c60d430d1364aa916fd8ece3d852

SHA256
ef2c19fd72c02d76b46ebfbc3ff103d0fc89f58a07c63930d1a2c36cbd1057eb

SHA512
279a644268718b3a5fa72ca846a82dd04dbf5b614bd40addacd52d4669da7f6e434cc1c194c7e86cfac6067801c0bf53ab6176ce8a7581f381c0ef40bf15c014

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8bf214f3adf2bae18aa552d976bd6f89

SHA1
0997011aa0549f0a5cce727a85cf1dc00a02fc08

SHA256
117c8699a8647797ba42ebfe9d2caa50782d906084416f99b9b7a61e82b4814e

SHA512
5402eb98183b4ccbb007e323ea72e9956c01a9e015ad354046b925367a0f20159de81d1353f16d31614812a7694e9e560abbd98e14034d29db56961c9523a961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6e02143d6bdcb6fc32cc1fd3a3841647

SHA1
882204428a7661466bf25f53ab4041306057baed

SHA256
0920922171955a8e6b6a8034028fcafdaf8851ae389be02608bad35bb8833bd0

SHA512
f101ce7a710412d197464edae512f1a19a2c45c818fce41cefe4321de0e6ebe92980087cb147c96faa7d2e72455165fbc2ee9c7e03873b14d532773c7a9cc77b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1eb2d5d9b9a98d6b8e366d4b4f6eac9c

SHA1
ff6b4db3c537ac084308b64c2dd6849333b31609

SHA256
e8972959f55ee72c3cc9c931217706fa683202e6a6261fece2752ced5ebea89c

SHA512
4e5b632b20181ff9db7e7c54f6f149e27352f1875a76e3e50b1b7a779a8bacd0d50d72e71e6db165fd557a275d76673162f06915dbf97d9213ed304e77435dc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
69d8aac80ee8429abea445107948ab64

SHA1
417f77a429f6fea087f5c109640361f919296273

SHA256
f5a857d4190ac6fcdf0e9bfabbfc2be61a30438aae63050f0327726946cba275

SHA512
10ca8d2b75582cf8067afe2eabe1ef96e004b85210ce11b0d00832d1a17a7b6fe7a472e782f14cff77cd00f39610d9460c4c270e26508b7d08f0260297bc5f35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6c2f8d602376cc964397b305cb75287b

SHA1
a41258fa74e3a507bd57d3c21ce9fb04ad0bd68b

SHA256
68c1f5881032cf191089f1168a62e380b71453c392db9e0f8a4b45b924b5701c

SHA512
c42aed80e06b5105c3d4720b6fcec954014f67d262dc22e7d3fd0fefe4159e313e8c541cb2b0fa0cd4c529be482e7d967bf30a71de2e439a9b8ae86ad726619a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
c1c91c469c5ad132bb0bb9e83709acc3

SHA1
61e9e03be34942d816c5b2c71f71e351b5ef1692

SHA256
764596cb332eed8151948d46acfe34dd84ef73d4dfef31b9fc531eb5c553df38

SHA512
58b086c397bccad8b4773bdddafe79812d19dd1a641fb1776737723e3466447e8d0f71df6ba5f6ed4083ccdd9af0b47c79be1aacf34ce6a64c96b931d173fa11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
42c4bc6925ff72b2c44b5c62ce42b00f

SHA1
edfa5067c47abea30c2d32942e7805928066aca6

SHA256
404c7a39834213a92622bea9d177cbbb2971d8774b64b92e2bf1f9bcb2df41d2

SHA512
9f9926e006610e50c59fb7e8d2cde7a9b266525cdab052ad5e83e5bea11f1942ce27d1dfc1305cd1dde160c18254b81f39c31849967fae712098ee96f45a7435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
6c678d6937403b695ae0eaa27547f25a

SHA1
1961f59597c672dfbe36969086f3176b12a8a581

SHA256
9fbf914c34a9ad0bc350c0790fe8b4523389a025b882327cb8545ecd006f12f7

SHA512
196d76f25ca3633684cc2e7aa08a45a5e914f67dad3160b6fbe54e35ef4769b7736f300c14c6a5f84580f9855b9b54b4ef9c5e6eaa09941fdb5eb61bf7b81f26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
31ef8dc6d319ef013a2d67f869b9ea93

SHA1
2417f02ec8d772ff57988c88e728d178238d54a6

SHA256
ef90064f7848afa0b906b88e944409eea68693947b293eda122b982f30f901a7

SHA512
e01ef6d3b47a82c3b29308e7fb4844bdfada2f367157f587db2f117468a089d8ae91ac4902cef071c842f2f09f833c014d76bd17c04607b7a1c3499acae56deb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
cae1c93ab2e77a74e1526e7bb83edd2d

SHA1
84e34d90c89c9c7e976bbc5c7d64b4d031d59f9c

SHA256
b2b1746b7e05e03107544e018f1322172e7b1afcba7ff101fc16c57d7b7f25f1

SHA512
61f6bea506b5b1d16743d3beaef1ccf15c567842a92d4dc85ee9cc115ce6844c8efbfeb67d1488db09f47e6e821be3ef6cd2caeb697af5c7f91c3eed790b8cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\719580\f

Filesize
619KB

MD5
43ca848d3a9ee13623e355d9ee71b515

SHA1
944f72b5cc721b44bf50c0013b4b10151972074d

SHA256
3d4000a64c1b7be8fcefe59e8f39f1ae12ef1fcd9d30a39158f83b26ee189831

SHA512
e52336e652a69b34c41aa9283d8e2e8e795c5734507b23050f48aa25be4423eafcc416f38bf23463de0602c20a24f0fd75629ec23214119b4c4a98025be8513f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built

Filesize
58KB

MD5
0a91386341f9d1a371bc735576b276a4

SHA1
a02598ef42cef1443cc94a8310a6c02df07119d4

SHA256
7b857693641ff1ff59e69422b09299a5580d20677acd530c27c7fbc9e3ee3b92

SHA512
b492508575c01689c982a8eb57fac2b5759e4c843c92f99d231b63c25ab4c82fa7fece9d4e9c2cc436a3232b4ed7947baecf2a06aafbf1a3cf243395af71e96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Comics

Filesize
66KB

MD5
4a3aab84dbfdaf25ae909ac736489f4b

SHA1
76663cb1186f29fed429863013600c9d69355d36

SHA256
2caa4849a4353ca50dfdbc860412e95b783fdcc7e60d8756c9b4bdf2915e1923

SHA512
1c2b0ffa8783bb9e9082eae4214547d8ced58121e717b57884a56042a7ef70c55e702d7f018dea72ca95aa40170c6f24ccec7d56fa3b160237969b5c0473bea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Corpus

Filesize
236B

MD5
148febc94e0f8036a074350ef338b007

SHA1
1be93210e5348f9409fe4162599dfaad797a2ade

SHA256
849892bc358956ee263db6cbddd4a9cca0e1564d6caefe44e2e998d559e610a0

SHA512
72b83e8cb35bf6fe295f1cb84197f3ffb4944e19b9ece9f6664ed2bc4aca40c9c912debf260e891c80feebb4c84935da4c2996b9a100ce94cde177928f31fa92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cradle

Filesize
78KB

MD5
8c59dae352a159e484b0de9603dabc11

SHA1
34992e582081635abf736ec18f1492ae40ca4925

SHA256
3ab028b25bd6bd3ba48a92c4198dd8ff07fe71b4b41c785469d79da422f2fe46

SHA512
cf041cc9470ac479702c19714d875868a5168940a8d56715a98ae3d52f0363ffab160566d7c364b1bd9e8cb263b7e2b60e6719dbac7b6ad12e5f6a87e4f57d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flux

Filesize
92KB

MD5
523fea93bbf3f0b9ddd4d1a432b624c9

SHA1
578ccd6f97455881ca61fddf068695ab0daa8918

SHA256
f4e881ea8495c993e2f008e9b5fc082bc2cea97812fe944dda293f3b02fb60b0

SHA512
633474c0d83e92171d09ab5849b83a9bcd613f630ec54ee44ad42ac8102d25c987f9e3ec71ea6c2d3542bcc9919ded6e37c3754a8f074aeea9704f16770692f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folding

Filesize
872KB

MD5
67ff730b62d42030058393ab3f0dafd1

SHA1
79215f079836dd43b4f7b1e66739bd7dab9fb6a3

SHA256
95d53427ef46fb44354a0253a611e342a30428101acaf83215f5b21432afbff1

SHA512
6e7d6f12686b0b30c96eebe01546e4aee1adee39a7467409e8f41de9a37c65daa010ebcefa6c452d4849e7ba0bec9be55be1b38250420b40e2956c151478d973

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jaguar

Filesize
93KB

MD5
fdadac1c5944e618315f608ad2f02714

SHA1
debe3ccc5a4abc326dbcb4a86ec8074671a3417f

SHA256
49687025dce701973b47fb6caba71f1443471e64551f41967a6a3275ce1e93d5

SHA512
92d7da5ef3625157acb00752b74fcfb80c588bc3ddf8b7fda488f68d0a6cf332aade539ee92139a26c5dc3549c8a69471ca24fcb1568068d5293b8988bbbab58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Liberal

Filesize
38KB

MD5
524c0177830e8a3624062be7eddfa277

SHA1
0a830e50e9433d530094edf3577b7ec5c5d1c5f5

SHA256
aacfabd8f6dde87949cbafa8eab7536dc5377e726064445e62824d10584eaec5

SHA512
79ed8be7d451a885befb7001c52a9f0db3977be8e16abd7db9f7742d520270a650ac77ed72e512a377d8f888bf05643f6bce3fea2d4dba8f37c7fff73a70d0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Surrey

Filesize
14KB

MD5
721cde52d197da4629a6792103404e23

SHA1
1f5bac364c6b9546ba0501f41766bb25df98b32b

SHA256
66627eef98fb038f1d22f620bc8d85430a442d08313602eb02f0b158b5471812

SHA512
63a6786227915bc450ea9ca4df4962126b4194a1fd5c68fe3c686da8175726d4efdda5e88aedea7b8e4e758816b9b31981fa79e37dbe51028650def5042ccac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utilize

Filesize
83KB

MD5
4bb39f0bce8a4f7b640ba76ecccaf87b

SHA1
c0c7feca88b0fc3fc1f20d1963ae25388a1f4c12

SHA256
96af995b201e5392293f2d7272b1c9a3f0eb671d62aeafffb4b0bbbfed0e3560

SHA512
ad2752281067584233cc19b3d0bbd0178dc3907af71c8dc3c37afe35f417afe1b1fc4d9ad2d99506d53100afde8ddb692e93669b8c9398782cb03dc22a04e1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Verzeichnis

Filesize
61KB

MD5
6a5ab833602af088d60d3d7f89b77229

SHA1
32f9fe7c6ba035993a627a78491651f02d0dfc97

SHA256
41586643456496d40c3279839a1cb1528428c19deefb4c702bd58f1467a1a1d0

SHA512
0598b2b38270a8d282ae2325330420b467be203047dffc2e85626fd78e78f81c5084487eebfbefbcb36115732a6670a9857655c18803388c02e37fbcf51aaa66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vessels

Filesize
50KB

MD5
d64ef3bbcca2c221c0bcc85a7b6d5209

SHA1
5c3cf9d492c7021e19e103fa14ab3965fd1c6ba3

SHA256
c8c35545936faa3b0e00aa1b907952e97fffd9c1958045253863b4c2fad7f295

SHA512
2b6713646373b5b233295930a46fefbd499b607a94051c6294d3dce12f58b187c98f22f7f0b1243f22611a82c659b1d95f70a7858247b8f0853a1765d449e611

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
14640ede02774424a6e16d3c3b459bd0

SHA1
00915b6769e94bc726b64a2decc881262b4f1b9f

SHA256
676e950074a335c14afceb09c942c56ad0988ad04221949f6bd83b67570d4483

SHA512
63b063abac61c8fabd140b138a629bc029bf82174578c7e018b12c831285cd30ec53bd43ce1243d903dcddd87facf6c740d04048512f8e42a84d4606365c47fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp896F.tmp.dat

Filesize
114KB

MD5
35fb57f056b0f47185c5dfb9a0939dba

SHA1
7c1b0bbbb77dbe46286078bca427202d494a5d36

SHA256
1dc436687ed65d9f2fcda9a68a812346f56f566f7671cbe1be0beaa157045294

SHA512
531351adffddc5a9c8c9d1fcba531d85747be0927156bae79106114b4bdc3f2fd2570c97bbfcec09265dcc87ed286655f2ab15fb3c7af0ad638a67a738f504c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8983.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\Downloads\NorthSperm.exe.crdownload

Filesize
1.5MB

MD5
ff83471ce09ebbe0da07d3001644b23c

SHA1
672aa37f23b421e4afba46218735425f7acc29c2

SHA256
9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba

SHA512
179c724558065de4b7ea11dd75588df51a3fce737db3ebc77c8fdc0b3a432f6f1fdcc5acd2e2706ab0f088c35a3310c9e638de92ce0a644322eae46729aea259

Download Submit
C:\Users\Admin\Downloads\sss.exe.crdownload

Filesize
175KB

MD5
f93a30378f7682e1bf9f4adfbe5729be

SHA1
c7111b7a7b9c96e81e8665774362368a7c7fd26f

SHA256
22490241e703aecb478572122c4dd5b1adf2fba6ea17b5922daf207fc7e0cc29

SHA512
8832f6abf9abd2d458d112ebe3c6981a280d6a1ec4ae15f2c1a67bc45894e4ca2dab9d1278b3eed25562ceeb0c7f870e20508e1e160fa64a85fc27b7226813c9

Download Submit
\??\pipe\crashpad_4688_IXERGFGIQWKGJIEF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2396-851-0x0000000000FC0000-0x0000000001058000-memory.dmp

Filesize
608KB

Download
memory/2708-106-0x0000000005120000-0x0000000005186000-memory.dmp

Filesize
408KB

Download
memory/2708-105-0x0000000000700000-0x0000000000732000-memory.dmp

Filesize
200KB

Download
memory/2708-278-0x0000000005C50000-0x0000000005CE2000-memory.dmp

Filesize
584KB

Download
memory/2708-279-0x00000000062A0000-0x0000000006844000-memory.dmp

Filesize
5.6MB

Download
memory/2708-339-0x0000000005D30000-0x0000000005D3A000-memory.dmp

Filesize
40KB

Download
memory/2808-845-0x00000000011C0000-0x0000000001258000-memory.dmp

Filesize
608KB

Download
memory/2808-848-0x0000000006A60000-0x0000000006AFC000-memory.dmp

Filesize
624KB

Download
memory/2808-847-0x00000000067A0000-0x00000000067AA000-memory.dmp

Filesize
40KB

Download
memory/3464-79-0x000001F182DE0000-0x000001F182DE1000-memory.dmp

Filesize
4KB

Download
memory/3464-82-0x000001F182DE0000-0x000001F182DE1000-memory.dmp

Filesize
4KB

Download
memory/3464-81-0x000001F182DE0000-0x000001F182DE1000-memory.dmp

Filesize
4KB

Download
memory/3464-80-0x000001F182DE0000-0x000001F182DE1000-memory.dmp

Filesize
4KB

Download
memory/3464-84-0x000001F182DE0000-0x000001F182DE1000-memory.dmp

Filesize
4KB

Download
memory/3464-83-0x000001F182DE0000-0x000001F182DE1000-memory.dmp

Filesize
4KB

Download
memory/3464-72-0x000001F182DE0000-0x000001F182DE1000-memory.dmp

Filesize
4KB

Download
memory/3464-78-0x000001F182DE0000-0x000001F182DE1000-memory.dmp

Filesize
4KB

Download
memory/3464-74-0x000001F182DE0000-0x000001F182DE1000-memory.dmp

Filesize
4KB

Download
memory/3464-73-0x000001F182DE0000-0x000001F182DE1000-memory.dmp

Filesize
4KB

Download
memory/4848-850-0x0000000000600000-0x0000000000698000-memory.dmp

Filesize
608KB

Download
memory/5032-849-0x0000000000740000-0x00000000007D8000-memory.dmp

Filesize
608KB

Download