metasploit | 123ef10c1c03e2e3c31929cb49c9d70b6dac7d5fbd29de7c25846afe007b2969

Analysis

max time kernel
799s
max time network
802s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09-09-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Winrar-Crracked.exe
Size

3.9MB
MD5

dd76d6ce1e675bf632ec21d0520189eb
SHA1

bc9a0f7e0061860146abecdd977df6bf52ec1cab
SHA256

123ef10c1c03e2e3c31929cb49c9d70b6dac7d5fbd29de7c25846afe007b2969
SHA512

a4636f6bf0eedae51a2f590a34e24c9feb73e7aa5a58636d473653e50abb3cae169d8b2a14bfa7c890ff8587b94d8de5ba68df81b6257d2f85993ebdde009bcf
SSDEEP

98304:sNRBOBfKgQIm9EOTqw8vjh9Ac9nUNupK4hVvcF+yHrAMBF:2R/gmeOqv7Ac9F0k

Score

10^/10

metasploit backdoor discovery persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://20.173.74.203:8080/TwX9

Attributes

headers User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; InfoPath.2)

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3460	1116	rundll32.exe	118
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3036	4884	rundll32.exe	130

Blocklisted process makes network request 6 IoCs

flow	pid	Process
101	3460	rundll32.exe
102	3460	rundll32.exe
125	3460	rundll32.exe
126	3460	rundll32.exe
133	3036	rundll32.exe
134	3036	rundll32.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe	Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe	Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe	Update.exe

Executes dropped EXE 4 IoCs

pid	Process
4412	winrar-x64-701.exe
1780	Update.exe
1988	winrar-x64-701.exe
1072	Update.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erwFQpNxKqxI\\Update.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uopLeFIGxRkz\\Update.exe"	Update.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1072 set thread context of 364	1072	Update.exe	127

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133703317653721752"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 50003100000000000259297d100041646d696e003c0009000400efbe0259f278295902272e0000005557020000000100000000000000000000000000000055bc4200410064006d0069006e00000014000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000e2cc90b4ede4da017b57efbd7502db017b57efbd7502db0114000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 7e003100000000002959242811004465736b746f7000680009000400efbe0259f278295924282e0000005f5702000000010000000000000000003e0000000000c62f21004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\q.txt:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1804	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 8 IoCs

pid	Process
3044	WINWORD.EXE
3044	WINWORD.EXE
1116	WINWORD.EXE
1116	WINWORD.EXE
4884	WINWORD.EXE
4884	WINWORD.EXE
3792	WINWORD.EXE
3792	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2432	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3276	Winrar-Crracked.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe
Token: SeCreatePagefilePrivilege	4980	chrome.exe
Token: SeShutdownPrivilege	4980	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe
4980	chrome.exe

Suspicious use of SetWindowsHookEx 41 IoCs

pid	Process
4412	winrar-x64-701.exe
4412	winrar-x64-701.exe
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
1116	WINWORD.EXE
1116	WINWORD.EXE
1116	WINWORD.EXE
1116	WINWORD.EXE
1116	WINWORD.EXE
1116	WINWORD.EXE
1116	WINWORD.EXE
2432	chrome.exe
2432	chrome.exe
1988	winrar-x64-701.exe
1988	winrar-x64-701.exe
4884	WINWORD.EXE
4884	WINWORD.EXE
4884	WINWORD.EXE
4884	WINWORD.EXE
4884	WINWORD.EXE
4884	WINWORD.EXE
4884	WINWORD.EXE
3792	WINWORD.EXE
3792	WINWORD.EXE
3792	WINWORD.EXE
3792	WINWORD.EXE
3792	WINWORD.EXE
3792	WINWORD.EXE
3792	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 4412	3276	Winrar-Crracked.exe	81
PID 3276 wrote to memory of 4412	3276	Winrar-Crracked.exe	81
PID 3276 wrote to memory of 1780	3276	Winrar-Crracked.exe	82
PID 3276 wrote to memory of 1780	3276	Winrar-Crracked.exe	82
PID 4980 wrote to memory of 688	4980	chrome.exe	98
PID 4980 wrote to memory of 688	4980	chrome.exe	98
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 664	4980	chrome.exe	99
PID 4980 wrote to memory of 3008	4980	chrome.exe	100
PID 4980 wrote to memory of 3008	4980	chrome.exe	100
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101
PID 4980 wrote to memory of 2476	4980	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\Winrar-Crracked.exe
"C:\Users\Admin\AppData\Local\Temp\Winrar-Crracked.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Users\Admin\AppData\Local\Temp\CmmNjwXmbw\winrar-x64-701.exe
  "C:\Users\Admin\AppData\Local\Temp\CmmNjwXmbw\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4412
- C:\Users\Admin\AppData\Local\Temp\erwFQpNxKqxI\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\erwFQpNxKqxI\Update.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1780

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\c9aa68fc763b463cb11aa87f6c9fb437 /t 3300 /p 4412
1⤵
PID:4808

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1928

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\test.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecabbcc40,0x7ffecabbcc4c,0x7ffecabbcc58
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1672,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1884 /prefetch:3
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2136,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2516 /prefetch:8
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4424 /prefetch:8
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4196,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4400,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4356,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4712,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4584
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\q.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5400,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3144,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3500,i,8799878749119374427,3863141710007924318,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:488

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:8

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4452

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\test.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1116
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:3460

C:\Users\Admin\Desktop\Winrar-#Cracked.exe
"C:\Users\Admin\Desktop\Winrar-#Cracked.exe"
1⤵
PID:3396
- C:\Users\Admin\AppData\Local\Temp\IyntXwteFQ\winrar-x64-701.exe
  "C:\Users\Admin\AppData\Local\Temp\IyntXwteFQ\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\uopLeFIGxRkz\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\uopLeFIGxRkz\Update.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:1072
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    PID:364

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\899375ace2984fa5a603be2e730fc24d /t 3316 /p 1988
1⤵
PID:1924

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\test.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4884
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:3036

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ResolveMeasure.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
6e31359583d2370a6c9bf951cf112b83

SHA1
79d5997b0e6c8815b2ba8746bc833db27f2450a2

SHA256
eeaacfa1a0f8a6d30c90cfca10f5afcd1f9b5e1e57f88759d8d699319ad30324

SHA512
c4bc67c80750c4d8b5ed02513ec61777354a0f86e481d888673064854dc74fc3de2ed3dd5c141703dc3c986b6af5e66d4164a3fa0f73c680ee887433a8dc9d62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
be71648317c8e9e594b8a5ecfaa3e4b3

SHA1
f42a03a85acc16b9501a557bd65887b981b41335

SHA256
954e5ffcebcc93a4858dee7a4a14db4f826bfd1b8ac89bc5cec8145ff8c860ee

SHA512
8cc48e4978360dda5a21bbcb8bfb99fd731190a25c62c5bd7ab0a76ef5a3456fd16ed4a423568dae22a3acea0db03e4a6e96c1087e7f59f49c3c73d2c1cd2dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
5df5a14242c6a2db3bdd663eae4c45c8

SHA1
6441be1e04bb5cdd91bffcc57c0dc0d751788add

SHA256
e7ec75c0a42d72dbe80830e99eb4e826257a94ba79bc78451194e4ab680680c5

SHA512
90b17686311edbf0833bed4edfad360cd28366886f42272b7276b82b68c84d4bc6804df81b0a7195d7f42eec421613aa9493fab1e1d87713d2aa5ac7856fd23a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
25548260fd6cee9ac893b87304ab781d

SHA1
03609257327d8fb7251ff247a787fca107dff5a4

SHA256
f27dbcd92393d539cda403a232f80a7e34a75bc520491d86c2f0f0ea86d1ed0f

SHA512
646c8a20375c1945e2afc3ea23378a63bf6192d700f0f8470a4620c6d36b6f268ecf91974c5219bb66b89a324eefb0b6725ed8baf0ad9029d5a744216691d462

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4f5cc920aebc900d9407ca89f781b0a0

SHA1
c456c6d13e956c0db1f1a37a3482f2da6c7ffb0b

SHA256
562104ce11995edbff873b6d26d52c5230d4a42518cd92aea8e29ee756f8787f

SHA512
39fd0396d05ff5961594c6eec26d1b16e54f25ce3eea5686c00bdbbe72755c35b30a819a5297e20ec47f117ddd89e8d4bb53c8c08c8648bba87864e3d5c0039c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
35469a81315938686fbea9b848385620

SHA1
ffc03d9673e7263a1c3c9f796569a79049100d21

SHA256
f61ca7e4b7ac765e2a16dc8057a51e2b23ae9a0ce44257f9b43e54170e14474b

SHA512
22e561f0a93a0b3e6866a76df74794665f66808201b88fc4057f9799650e23f567e5fab0c7f43caf3da9f09e2c4c0aa3392a3cfa2900c0ca4f61c513ecb2c127

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
5d58891165dee363ce945d0464021529

SHA1
9aed20477edb4f022ac0403971f3cbf0185e14ae

SHA256
32aff591e0e500b46c807fdaf3a70c9312f5703f7739d8c479aa12b2008391c1

SHA512
38ff8fab4063c032e228800cd568bc1871a085b06bc1ca4d71dcaaf3b3a6d4558e6342b1068f57bced22f58def2974f38e4f0061d8604ff03bd79df06dfa3fc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6465c4a3716dc3eba58045fc0b68b36e

SHA1
693c9cd67e0b965072a5490b500100a088c62a1d

SHA256
12c23755e8c46de5e60e4bd9fd867869bb792279a06098e0f667f60527195f34

SHA512
f8974eb3ffc652354caf82aa6539b5db105685def8d702938c4f364bee7fc1b14650e5316f5c0766123b225948fb2f3c8d728f8b58954ec021ff4082d2b672c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
ff8973458327059958c21237b2bd2759

SHA1
e6c87b479c92f5d6aae92b9ebce337f0be9416b3

SHA256
4a6509422565c83847653ed5e33d721bc66a66de2b3f15491178f3567a641b73

SHA512
dedcedfb3aa4f086efe5a270b16e747678c0d507ffc6130656f339cb6b92db629d60bf69e7c90ec8c520077cf77f4e83833b8071f54e5bfb0bb3afdc262ac99e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
f5bcb85d1e3c5096ed3e01f62b08b7a2

SHA1
a24a937b3019fbe95f0dae76c2775fbee2ee3ef0

SHA256
7136f347be1dabc0b9adf7c787f4c89b997b2b63db1d7525efaf1d19bf7acc38

SHA512
9fb1e41928fc76a0bc28e094d083f0eca4461126b039e6a2de73a07dc9a7a2f59e4ec965c34f2e991680a0eb0cc695f1d96cfadc4ac251ea620101377c436f62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
c87584bdd17172089521ae3b29f590d0

SHA1
f5499c0a10cd8c8ab5e5678a793906683ac4b8cb

SHA256
043f190702196471f820b89d04787b5918c300cf73a18ed993ecf414feec8070

SHA512
ac5b2af45b7ec6641d6b223ef81729470b91ceebb18e7ddae228e878d762f63f89e5e3b09ed601f3faf9934c58fed488d306d959611a3220836e76e94451e1b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ed166ee66ddedc81afa29228d9ae99cc

SHA1
623f260ac2a91490e8bb6cef5820f9442dce3e75

SHA256
0c1c9741702d95073fe8e61c29562b15b4c01d2cfb819c2a9d46a932b9981786

SHA512
d5d5718f1395210c297029f01ce9a221a9c3c92f6800471ea13c0526bc115191d8d5e2c09c0091b4ee4f1ca51bf2496b0d80f74038829d94c07dd9ec102eb377

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
ae3b1373fb92dda4790b487c524f4ebd

SHA1
df1228477d21bef5b1b61318482d7045af6877b3

SHA256
ba85627d0ac40f6981632832accb52e61a741127aa346eb01eb3a15df5fb0791

SHA512
f59a23ca06ff045512c8eeb1c1bec1d6a740a5e29180010b78f5acfc321afe09945b28b9267af718699399ab1323216a7b7c123d05468170143f572d7eb28bc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2aafe493c26e8c1c052a767d9b30ff5f

SHA1
839278d43262ed176def70f376ca2c0450746f3f

SHA256
24fe93825591e2f75de48abeae418cef1dcc525d26890488f60e0ce8671c3ff4

SHA512
0f492db0ce9b4434f98861db0abfdbe4cdfb958c9641b6005eaddbd1c26079f772c547091d2c06a044908e2faef7d00a404ad1a7121ec95059790da6e0d6fb58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fe2ee68857f859ae8d9cbba1b806dafb

SHA1
63a23b3c93d17d9ab9c3cab42d055ae3e3d03b79

SHA256
31ad687e29e615df34e2461d5cb9aade914c1907c8a4575a56c6eb9bf17beca5

SHA512
5b3a821e56b83d31af894897b2a7b93cdcd793c598c15bd4c53f601f1c0e4949425a17e62a57f1856bfa4dd0cfebe1d94c3d0cec167bfc688105bfda43d8123c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
85a1d27c8f90d74dd607fa283aad2d51

SHA1
91b7971cd3826dc2994ddc12f7e20f0d60a91b31

SHA256
9fd1464386aee5ec36591a1ae1df8c3417605bd76f969ed93cb8f12d14e88c7f

SHA512
b5dfb6d0420475cdab5f945d2b3613e0ca5fe20ab1277b17f93f517a08b424024d243ced0b2ebc02b4a4c061e149b1cd4f520ec3ff5ac6eded1ce5a237cfc8a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
489941267662ab43bc9e5287e46ae8c5

SHA1
0e31e2b7d2ff185f75e8ba59e6b7b82809c866f4

SHA256
b4b386fa0205821530d6e4fdb23fbb10e9b11814e353d6ffc997ba441b252d2d

SHA512
c705a1d752331122b901320498d234813b423b882e533e0e5e63b5f8d33b8e74f8d53348948206128ea97d2160071e0e6580beee293771045175770adc669c15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2c58f18637da43644584f79976889a0e

SHA1
043983b5ba94944c7d3342930629054388d9eb69

SHA256
47f7b3ed5dfdc0dc54450cb148f5ef65736c96fc01ffe34a8d45d03cec8bcf4e

SHA512
ef19d6fe3c4fd85c2990622a7631ad42dd6180c2bc15573aefdb395f10f67e163b5a1c23058ceabc95a2c42e3333425c1ee70e31bdd183733dc64f3b5cce3212

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
52541aa8ad454930876ff332b186fdc9

SHA1
a197f484789fd183d3ab08708d269e1deaadbd7a

SHA256
0bae7910e8985e4cdad58f8c3ac7c2f036d683aabbb2a79b39f9fc6a655b9f07

SHA512
5d096d5da79b1e92cdd137674e1c6515b8474d2842adeb24c98d9042849b2eac0ce5f662f47f2bc96182530b495f4f0c12ccf90548caa67db4fa2bdee073ded9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c6e7efd48de196d6079ff7346b52382c

SHA1
2b7909831038ead2dfcb81da7601ae730a0705f1

SHA256
3dafdd840fe8261cfd068b8aea9f63fdb4b50eccf0f7777084165a14c04f6c57

SHA512
d41e6c5a42e267c748c60507c0110e0ba8409f1d66e102a91247f58645998d3dbafc0f25694e481e6dfd19c571f362eed9379503e5e1a1ec888b88911c1fe63c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3059058372697b49ef50fd397f4fce49

SHA1
baff826df300e58e84b14d135e00e3dc15d92969

SHA256
599a5af1a8c80e655c5f4c2d5327e67f5f2afe267a764d66db30e383a7c4484d

SHA512
f1abf2f03a2808a7ec64d8ca231d4f93bc9152097cf7cfcc5b412acfd3815a0a1acd1c2add27d14681387e1c534e30355bbdecad6498a25beb24c7889bea793f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8ff7bedb0273a9a8370ddd8841fd8447

SHA1
a3f255cabcbe7d5ed59b93f4e9890fbe397213b0

SHA256
95a56ac3a1502baecb780a00ab9509ff370a83dde81cf3468c5ed50c41f9a78b

SHA512
0e4407bf5a19bd6db780dfbb0c994f775b4bc05cb91ac1d1a5824cf1883b07f1f0876fa2930444da980efa9024d58a9d33662398904ea70e03b201787a5f50dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3af1c4e60a36b0d312f45a4a8c5d9b3a

SHA1
db91c553d84502beb87246f51bf0cf3b3b9bb306

SHA256
8d87a6a0f37ad6bf5f6824386ee1b566bf70bcf9382a0f7d638a9c5aa732d337

SHA512
c3fbe7aaa95c63b11af5068fdb47b15a5df6a8731603b4ef46ebd589fd8d5a710278fe26df529d9889d2288091e9c2294c2b8d7481e3b6a8c1c5d36fe0971187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c62679f10fce45c061f2a80bcf85d04b

SHA1
ced8c294740285d04db799b53166db11e4939335

SHA256
253b329c8242f84ac8b44e2bf13113f8dbec564e55f7583d23c61f99ab6324ca

SHA512
7f193597ef68886a0dde121496452f275811c728fbf2cfd37d335bc6db91bab090b2cf1e02b82c3ef2ced4154cdeee5b5cab6540768be9b4ace99656b91bc680

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7ed88810e4186f7c89ac3ae2b1f61259

SHA1
bbcb3e0d3c5fedf69e5203db18d8ceef7fe8748d

SHA256
6ecef8395f0791082fe735068547db4641953e58b5418891f50a5ee3fbf1ec1d

SHA512
8a977aa63fa49038134660e4ec0c51f0a2c064a8800aadb3e7cabe9ea550047cbba578173def94a677c511b3f87a69cc8cede3201ca3c61615759417556551d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
38cb085baef286c71dddf592493b30bb

SHA1
e2edf7d1b0b82b9e2a5ab3a33cdb827d7eeba21d

SHA256
9e80756a0b75d151924b6f45d2bf0f05948072d9336d67990f983383b5469998

SHA512
54817027d6205870be199aee4236b0027464fe0c537f99c9192c3865d61346214fb252cce06243f13b0686bd6dc367fd0ba68f566a3d1fcb0429afab4347b04c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1fa24ebc48e5e6a187c4b02570410d54

SHA1
36426ea2ec6426b7220f82dc01d8bec7170bf757

SHA256
44d384ef0bf867b53aec5f5d29b33115f27e02362344e21fdccdea05d1fd9af7

SHA512
c9355ee83e2c3177e17b3c9b6e2cd5398e79fada8b362827addecb91ab0f128af02bc937caf2fe8b8aaed1e344bdc1cad7a61af03bd4674a9b62e20c8b2b7563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6c3f700259c74586b1a51adabf69afa2

SHA1
399c205864a5d99c3eb44866a835cd9fa8df49a4

SHA256
a9545cb651dcecee9ed86b0db11d7a43e82b08eca296effc622a89438c56439d

SHA512
928653136826cf0a4d2f0dfc7aad40c17ac256ee53986d1dc426ea24005ac9d91608360616ec24602bbc7fc461b746b881a12e9398237fc55fb2a3f2d9948639

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
36d3b104274406844977ebbf6d989af6

SHA1
67720750d1f23215617aa3ea6ece8edc8edbd775

SHA256
8ed8282b627fea588551f5e6437dfaf11946fecc2ccfb1758a01451f39187c37

SHA512
195275ad06f4b35c564da51bde4ca27289023de3672532250bc68c78a34c3e9e0a1f3bb56ebf48403a4bab7edb99439f72cbfdf4bf73e507ac81ef5312139277

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b3dd8ee37d8563ce87645be8a1ab4bfd

SHA1
619ef0a5cf289ed73335f7be7717b17f3717ffa4

SHA256
b847b12961a0c2ac639a8b52d80b39dceab5b56485e82a4827690588dc8270a9

SHA512
390cfa12f8b8f837661451d474ae30179d812e93e8b8e137b08554c5c271606a50164905c4f4e7dfcd75e50385847deab3876d4b50762bec8868b3be3cfcbed3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6d03c8bebbd39ec8e46d46110e42870

SHA1
ae5f0107f7b9d47c2659bd60a57f417cd2cc3459

SHA256
b150fe3f0f325e52ac4fa808226aae360829b80eeca02b2be155d9714c05cf2a

SHA512
d82c00be2d35fd1a4a95b36949fcbb704fccb82d4d3f3fd5ee3422e394c4e3836e6b7e04b79bfd8761b910253a3352736960ff4e8e05e865d14cf95c16050022

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a973fd4f3a1cb90cbcd411057b157f10

SHA1
ff114913b8531cbfaa5092e19dc23b74e170d5a2

SHA256
a1c15c037bd9d988224235831e6e32bf8ecae713a691fea0a316115a9911b9b8

SHA512
ead20e1e550d9954b9f0dc961e7cb59ac94acdcb9374fa033e237c2ff8dfd90a6776d6b17a2f46478185fb95eebfcc9245d4f807dd1115ee23eb873e70772022

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
605e2ee2b63d18224c5fec571e584de4

SHA1
4cf1d52858da4f6b51e2382c300e602d898c7ca1

SHA256
d074f39c9174445b681d18ddcb2e674056a4f251a636ef0a5c6c342a72104766

SHA512
22fb156b379d473033634032bda4a55740352bad000274f06fe32f75a19acf9fd478e2203df2b33addf67709022afb07690210d79d5fb820f4a607172c28008e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
07a93a6068785e149fb014e3e3cef644

SHA1
23622c1ae428b13cbdb2f8cdf9617a4c1f885c5e

SHA256
e30da33b7f811348a4d9c0088ea5592b2285d85af6b8cbcf716ac0782d0b75f6

SHA512
3fe1fd080c8c98c5c9ee67dd0a72c5613ae20d0e1d2f64913a577844264fa0f548517853b1ec053cfaaaafa86684abe4bc797acdb779f7d35c513bb15bab48fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5e7051371f870b837881a6206dcab4e6

SHA1
1086959476fac4bb0323ca29d59bdf0c17b36fb1

SHA256
ebe60171122ccfd62d3f077a46a4b7553d6164d3aca1bcf941de17ccdf9e4f4f

SHA512
8927c40fd9e15488b09837fe85db23f4a0e7c700f0e99ed3b16163ec788cc79bf8f072b9b457a9427aa36cf62e5821c258ba02ebd0c7156f4791d5176a31f9b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
78748a6532944dc18e10d232d98b24ca

SHA1
0cfa30d1ec06c39f415d46f411bd0b905564b995

SHA256
e0b5def97d78f98d70bdf00e60c592f4b41cb84e17b379acbb60306be8be056a

SHA512
9de34063db7919e6b087393ed5ed8b710529f3ca568bc1536ae843c7aaf580e2a038cbae6c3afb6d14fe7e936f2b31b57390788678f9d4629e818e01e4653126

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0f882a0a8e46a7f9e7c5e33c8931c681

SHA1
f538a82fc19a8cc2e8acae23b1dc230bf0931cb9

SHA256
35f965115c1786db4b5ca3e8c5beb58d044d153ba9ecae876a45661559b4f13d

SHA512
22915914df5730bceb63b685a1ceef41177974857b64c077b355e160c14c59d61792464094ec3436d8e775cc324d9c85e4ae48379f8676016f4f6082fc654f16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0857588d0ba2a43fcb19589713b88acf

SHA1
0515871d2b842e937ccb0a3b4ced4e1195dac0ed

SHA256
18b609ee7e6faeea2cdb095a0c471cc5d85a768ece05d699dcdc64ce445ebd75

SHA512
5cc0e8443b398cb03e6fc7104f247c8ffa26d3d8e1cf3bb2b7de22e84fe0a94f9978864cf9b77f0a666e3cf92f1bb7bad8272b132153f7de9c350c5ec41a0abf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db7a063fc47eb4e20cb93b05ab796827

SHA1
017d58535226ff4150f9912e3508a3f494da38eb

SHA256
559b3699117900f7690e9e4f8d460d7c561aaa56033f84fec579720d1677c0c0

SHA512
5f836d3307e9ab4c1c63767416937f56bff9c4da4a60065943e9ca7863fb28b061d44fb14d86f0793a34cd01aed63cba9e1eb10532c339ef7b547d76c6a89e30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f26ea341dbd87fa6012f92cb3307deaf

SHA1
79143d4642841f508e35c7d89f5d2478691ad560

SHA256
c122a68cc5a09f32c00a51f1cdcab1601bb4e47044f6d6e13bb52be99d868ae0

SHA512
a761ea277377999c5766794c674c12e5bf69f28c38487e22262cce2c7f086a8839e1ca6a6333ff35b07b0626be4a0a7b9f34839a39e29cd0370fca3d96f5c91a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
063d34f3358b33f77dc04269b2541c8d

SHA1
936935a829b82146be9b89ced83cad132521b09d

SHA256
422a09d64393abf344939fe35b4054997856c3ade825eb91ed76b97049dbcad4

SHA512
a23fb4fbd18583fc66e584bf7cfe47ccadd67b057a87e2fd81bbed69a2fc7764ece5d9523bd0caa7dd7a7a7127ff199e1402c9e57148aac05886e9e18302e4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
195cef2d768a44d27d03009e32f16151

SHA1
0c098fc43a01a7c8ded3a3cbae8f26e4e468c201

SHA256
e0bca542b01a0899e6e11679bf8fb6bd63719d43e84c0f5de018fe66be73b933

SHA512
ffe78142388fe9c7de07fe77af756c7f4bc4be1f4f33436bed25d49a6accb31e8f5775b40a49f2ec1d28639c567cbef562ab886e33eb7175628d536b79474410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\5C1B8410-3B59-4E75-895A-6E720BBC216D

Filesize
397B

MD5
2f82426450332b558a61ae9ca551abd9

SHA1
abdbf8f8bdd7572bcdefbd1e0b7da8d3cf17144d

SHA256
57d6315a8f1f11aaa111a9956ddd0d560f791f757c379ed77bbb5a1b5b577f52

SHA512
dbc43dab6cbde98647c5a88cd508a1528ef79c030286cf82cb4cb03c4af81930ad1c3b2644ead9eceea27cd5772324f42a51f04f1693102254567205a6abf0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\AD9BF1BA-B022-4CD6-A005-F0C604B71851

Filesize
1KB

MD5
85ad173999ed440af6120f3b4fd436fa

SHA1
eebe3bae40b0c82db581b905e2a4c4a90055c9b3

SHA256
2fb3e7ca57b5ec8657ff2b909c74dee246e7ed2b30abd60dec96fc4fb88bd165

SHA512
3c506252a27bc4a3d718fc2ad89036850ee3c9d5fd79966fc5e28debe1844d96e8d2777e160e8537034129fd8109dff027bf5eb4a082c99d0db93730ec31427e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FAC8883D-1980-420E-87A7-E7AE99FC5CB2

Filesize
170KB

MD5
860f86609622e80ec1e8f288f4b30d8a

SHA1
0a13533889625104f565bfa95b3366ed3292267b

SHA256
4e78df879abed08c6d0a6afa8be5aedc22af95a3bb3fe5241d1ca934c54e77ac

SHA512
a223416314b5b8e84c851c7a104a3becfb8c3cd3b8bcce6682569ac75b0127a95a77eb8a226a92ec66a88b81162a3baf0c00fd6abd7e4f005352951dbc9c37eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
331KB

MD5
2d72c7fd107986dff9d09acdd4f8255f

SHA1
f60da83ed901faee7352589e46ae5a361a33af2a

SHA256
2bacf273a6b20fab94aec2c3c2fa483a24e62b36070121cd0dfd40ccfdf5be8a

SHA512
063c9a0b595480d50d3c5581d9cd4b15242c32f1ca9d24c72673835a577a8187a398ab214cea86a6c04a8e425fa81591be0369be80c9a1c66128a7672c039f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
12KB

MD5
6a266d57c5f3e612ec8155b2aebffea8

SHA1
9b9b1444f84b2e5dcf23cfa93eeb4b57446b13e0

SHA256
5aa7821832940b53bc39dff5182f21947a56526a206fb2c7540433b48c4e0c6b

SHA512
85d77f96dc79659b5527223e02376387951f1a9f1fb72d12cec5649bd34164883a61f81d0d7c617f3ca84483c7c5067b801ee991ab923d14d906291caca11662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
8KB

MD5
ae2cb96ca884aaea72b7b8f3ccfcb51a

SHA1
428c4a5f8acda073bf2f53a91884d25f32422cba

SHA256
99ddcf8106699081e6b350a055c748f6c48683e4c3742cfda44eb713054a7b9b

SHA512
21c659b8f84e23a8a0f8fe8e50f51102ae17ced0e9ba115ef27803a2053f0dad882d30b4323b07bbda854270799c2d44ac29a21046495f5ddfa6ac4f450a71db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
a6064fc9ce640751e063d9af443990da

SHA1
367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

SHA256
5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

SHA512
0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D20AAD8B-A6F2-4251-A954-AF71163ACFBD}.tmp

Filesize
1024B

MD5
5d4d94ee7e06bbb0af9584119797b23a

SHA1
dbb111419c704f116efa8e72471dd83e86e49677

SHA256
4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1

SHA512
95f83ae84cafcced5eaf504546725c34d5f9710e5ca2d11761486970f2fbeccb25f9cf50bbfc272bd75e1a66a18b7783f09e1c1454afda519624bc2bb2f28ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CmmNjwXmbw\winrar-x64-701.exe

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD6DE8.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\erwFQpNxKqxI\Update.exe

Filesize
18KB

MD5
f8d69cae8e8c3ead1d39cbd3682a7b5a

SHA1
9dbacbcf9834d0cbf35043bdfb0872ff7b00c1a7

SHA256
66ed0de08ae8ac234622b3fc58f006939f123272d856cdabc7ca4bfad6c0aed6

SHA512
1461d507a4b8e24259c78bf5d27e649524f5114c49c9f73cf15fd6847d1f932ae542f149034f78c0043c8afc5a7a9767bbdb6d0b87fe71fe512ccf49b505b689

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
237B

MD5
e19467849ebc148bce546df4c1265c95

SHA1
99456d3356efa730a7ef5c1d0929359460880b45

SHA256
eeb67c9d2c81bffdf9e0b19ccce9eba9e25eae33f01c3951c0fc470258a82461

SHA512
77417874a3d255457976361d6e5e6cbce5cc77c4cc379830ccdd55b3dae1483fc86f1a5b6bdcf1ec872e570919a882b24d7fb8219bdafb76545817a0e598f3d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
254B

MD5
d8293fcef15a763c4c882e424ff94dde

SHA1
97483f4c1bf9c1bef22b5e26fe520fb51cb1cc7d

SHA256
b437bbd0245a969678e801dc97e6f2941c9672ced6a9622f9e4843f74ac88332

SHA512
37b50873e6bc0d8a7b264713409b3d53fe3c301e7cc2936bf74a270588f3285d05a1f921690e6ca3eb37991ee481f6e85b7081b9b4f9783fdefa9acf05fdd06b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
264B

MD5
a9fd3361b63558590f69db49604131df

SHA1
ea4640a881c2461817de55bd2b4e7ccd8e2514e2

SHA256
9ca9f7bcf8a348e1c71ee5133d55ee482c96429d2ec2f38cf97ade371ca671f8

SHA512
c63a897c109105ba5654d0d2cb8415505e7d87974d641933719beebc3399ebb73f88dfc4cca07975bf332171ebca4c6a1165d369ba44c4740848062f9b59b5aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\test.docm.LNK

Filesize
495B

MD5
e667c0fa4ab3a5189544f563b219b258

SHA1
7e176012bc01809b7b92f9a98aff179419aef8b9

SHA256
62268b4d286a914cc2a72fefa7c28a80aa986394d40768a39d4de51cd159dab6

SHA512
fbd102faedbf6d8f76f5020489621773bf33ed69b78919a49f7e4f60346b598df3b5c9f159195a600e38562a58826a298af60f8183014386e37a766c91d1cf03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\test.docm.LNK

Filesize
495B

MD5
addaf9f9b75691665d63a79baa7b3914

SHA1
a2c5e7ff00ff4a744383aed22792021bba09d183

SHA256
8c0504b8e074fc6b01eb65ccf8a2af4ea8b8440c883c837be621d5ef1089d806

SHA512
49ca6672a82eda18a0eacacb7cbf8fff1292a8c0baf841019bc6cdab929fadeb65743db5c3b0760c589cdc7e14798f1f025a0a770f7a198b42d46badeb6c6f01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
29KB

MD5
4f2a26b71f66292e980f94dfa91a6e5f

SHA1
b3fe1be8c5ce54a686144a6cc20d38df4eb6f793

SHA256
666a8547af6d89e7d4ef07f77f8ceb949074a64ba08ebefa4f38d78860b87d93

SHA512
519bbe61b5878ed5f0c6ebdb672d07b4d8aadaa182d1f294e252c5b4d16249c34ec3ff10915d0bf2c4720b7772e3cda45cebecacbd605e6189398c2e38caf4bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
3f996297227237ad8c9a8c188feadc52

SHA1
ea3e0db8f7608ef283e4081760e130057d28cb8a

SHA256
a3fda085d5bc9a468c3f44051612ca8787111f03d2b9e36f1101d2b7aafb741c

SHA512
45adab1f033a33c3a7ba2883cbe17f632abe9246cca0e025e6c7ce3bccb8c39280557a45652fd01f075b05f7fae08b8a46aa1a3aee5695bfdadb8685caae90bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
652B

MD5
9edcc3fb4ea9d2027921b4e056124bfa

SHA1
12505964dc62e217968903340500950972ae0200

SHA256
02223c9ae80c6d0c3b9b28f1264faf7bed9047a770c8aee922a1d3c279a98996

SHA512
671317dab18a9e2b6845105d155f9fa0f64418fd8eba834da07ff35117d947ae8af9583c08ba53396ea42ce1227dc327221c2b2fb485b6be6fba3a591cab3a9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
8c8c0dc5dfac947fd593150b07ba853c

SHA1
963fb81e877fcf6fe5b0097bb26618ed0cd46458

SHA256
582d791e2076ce1c0ce302fbcf3680c2a62491d502d9d787ca08f4462482aac7

SHA512
65fae949b97bd2d873d5c7b3f73db83023e67eb16dcadd9fe5412287d0ecd07747a4d8b3a0be4027181f53bbfb52688da07d409a4b042e240afe42048f4ad4e0

Download Submit
C:\Users\Admin\Desktop\~WRD0001.tmp

Filesize
11KB

MD5
58c7ce129683acb82c4f6af39fef69b3

SHA1
e05da7690d0ea8b91f777b00458b61dd20ae802a

SHA256
faffe5236236fe763ad2f5f55645a14d822725236d835f11f132782fe0ec1c10

SHA512
3db392ab706139d1beaa433b36428efeb9001c5658b4a7a84c542bedafcc216c4c8e41dfd56c9265af33cf4e8d75b223e5ba9ff488f3dc814989e5b80bbd6a4b

Download Submit
C:\Users\Admin\Downloads\q.txt

Filesize
6KB

MD5
3e010da77a5d9b2c8823aab972baad78

SHA1
31e4da9f95850527ed452ece1bfe28d3fdbde40b

SHA256
d25b0d2b2ac68eb6d4005b41e20b6ba7291592b13798d355ce4dc605413c8c10

SHA512
eaf1897ffd70ba2e6a8a1ce65b06baa0226f50fae76fd0a0914ce5e2869194e4d1febae29970fae241f342483a8a8b145a7bf06138d4321717ac4a011f98c96d

Download Submit
C:\Users\Admin\Downloads\q.txt:Zone.Identifier

Filesize
148B

MD5
abe0a8bddc2646b7957e0449aa714a93

SHA1
9f0aca9cbbe5c9b0434e0b5ae789aa9854eed136

SHA256
159ac4eea6424471e0416f9743f4ff9130b9848f636a3a6253a7959d5a7c700b

SHA512
6b38dbe99193d58514541713a5b1f43d7dbcfba4272f20916415f7b2c164be3fcb2bc3261b9ed654aee06f6e86efa4c4f0fd1a34311840576b7b0341e58792f9

Download Submit
memory/364-1184-0x0000020FB17B0000-0x0000020FB17E1000-memory.dmp

Filesize
196KB

Download
memory/3044-39-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3044-35-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3044-41-0x00007FFEB0250000-0x00007FFEB0260000-memory.dmp

Filesize
64KB

Download
memory/3044-40-0x00007FFEB0250000-0x00007FFEB0260000-memory.dmp

Filesize
64KB

Download
memory/3044-38-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3044-839-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3044-840-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3044-36-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3044-37-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3044-842-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3044-841-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3276-0-0x00007FFED1A03000-0x00007FFED1A05000-memory.dmp

Filesize
8KB

Download
memory/3276-1-0x0000000000100000-0x00000000004E8000-memory.dmp

Filesize
3.9MB

Download
memory/3460-876-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/3792-1335-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3792-1334-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3792-1336-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3792-1337-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3792-1301-0x00007FFEB0250000-0x00007FFEB0260000-memory.dmp

Filesize
64KB

Download
memory/3792-1306-0x00007FFEB0250000-0x00007FFEB0260000-memory.dmp

Filesize
64KB

Download
memory/3792-1296-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3792-1298-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3792-1297-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3792-1299-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/3792-1300-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/4884-1196-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/4884-1292-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/4884-1295-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/4884-1294-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/4884-1293-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/4884-1199-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/4884-1198-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/4884-1197-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download
memory/4884-1195-0x00007FFEB2DF0000-0x00007FFEB2E00000-memory.dmp

Filesize
64KB

Download