djvu | 19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696

Resubmissions

19-09-2024 12:28

240919-pnl9bsybjf 10

16-07-2024 13:31

240716-qsvxpsvekm 10

16-07-2024 13:09

240716-qdy1tatgmp 10

Analysis

max time kernel
155s
max time network
142s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-09-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
Size

691KB
MD5

d26082c8ae68b4c546843f32325c01dd
SHA1

32dbba008b93a3c2f8fc8fadccf7d5c7ab096f87
SHA256

19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696
SHA512

2a1656d8c2cf6991780b0665a6815b58eaa31e1584fa6154207b540c5294e0c4848516d7f4717b6cf2fb70edf3ff9ca5f256035ab24eab88417396db80aadaec
SSDEEP

12288:SYJsO0qghZwfnpR+yUAg0BOCtK8V/zKbvDDVKu05dHY30hldLZGUh1U:PAZwfnpXUgOOK+mbvNKd8oldLZn

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://cajgtus.com/lancer/get.php

Attributes

extension
.qual
offline_id
KLbRmn6on3AXGFgDLGtd0IkHmV7uHw9VxlcxO5t1
payload_url
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool. Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0876qual

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3412-2-0x0000000002230000-0x000000000234B000-memory.dmp	family_djvu
behavioral1/memory/4344-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4344-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4344-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4344-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4344-21-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2492-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2492-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2492-28-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2492-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2492-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2492-35-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2492-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2492-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2492-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2492-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

372 icacls.exe

pid	process
372	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\13536083-114d-4168-a139-9e914385e037\\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe\" --AutoStart"	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.2ip.ua
2 api.2ip.ua
10 api.2ip.ua

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
10	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe

description	pid	process	target process
PID 3412 set thread context of 4344	3412	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4632 set thread context of 2492	4632	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exeicacls.exe19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exeIEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEPOWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeWINWORD.EXEPOWERPNT.EXEchrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132303"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000717d0f0ff4c554dbed369a5f544cb1000000000020000000000106600000001000020000000b6c0e13393e5a15e51e9a855106aafbd7272fe630b811c2d22b94b8e129827e7000000000e8000000002000020000000be7d466b442dc36b8c982bee939f9499cd929ed2fb132ab650479936380137cc20000000e0790b414721ae0c555a1fb113320c8c0c6d5d8237a60b0053bad0bc6bae9e1a400000005d03b0bbac2a9117c7e008c16e44d249dc3be7b3882afaea47788f7769664d75b7719e1447256ad5698ff5b887b40c35661c47d7953749d10852b4b16540afa4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132303"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2902010425"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2902010425"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 008eb3b08f0adb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D89B57B2-7682-11EF-A2FF-C65E46BCC2D1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000717d0f0ff4c554dbed369a5f544cb1000000000020000000000106600000001000020000000888e792aab191ef5ec292096a85a6c478acebb4e91249b725470e4094b820de5000000000e80000000020000200000004f3189edbf822ee2117df86b0f772e8eb651e9b1f2a2bcca109d96baab78c8e5200000006acd7fd607c4d56f32bde35288019af8517015e7e05708e3b23d343f9de04ba54000000069e3aaa0c42288c1711f5a0e21cb5e540da9d55b1980052ad6a4e045122306dfad85dfb07fe03e4b7bdfc92865bd6a0b4a473298244221959bae7e6496609447	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 509ec2af8f0adb01	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133712225789429464"	chrome.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

POWERPNT.EXEvlc.exeWINWORD.EXE

pid process

4112 POWERPNT.EXE
1584 vlc.exe
980 WINWORD.EXE
980 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exechrome.exemspaint.exechrome.exe

pid	process
4344	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
4344	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
2492	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
2492	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
4932	chrome.exe
4932	chrome.exe
408	mspaint.exe
408	mspaint.exe
2952	chrome.exe
2952	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1584 vlc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exechrome.exe

pid process

4932 chrome.exe
4932 chrome.exe
2952 chrome.exe
2952 chrome.exe
2952 chrome.exe

pid	process
1584	vlc.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

chrome.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeiexplore.exechrome.exevlc.exe

pid	process
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
664	iexplore.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exechrome.exevlc.exe

pid	process
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe
1584	vlc.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

POWERPNT.EXEiexplore.exeIEXPLORE.EXEmspaint.exevlc.exeWINWORD.EXE

pid	process
4112	POWERPNT.EXE
4112	POWERPNT.EXE
4112	POWERPNT.EXE
4112	POWERPNT.EXE
664	iexplore.exe
664	iexplore.exe
4196	IEXPLORE.EXE
4196	IEXPLORE.EXE
4196	IEXPLORE.EXE
408	mspaint.exe
408	mspaint.exe
408	mspaint.exe
408	mspaint.exe
1584	vlc.exe
980	WINWORD.EXE
980	WINWORD.EXE
980	WINWORD.EXE
980	WINWORD.EXE
980	WINWORD.EXE
980	WINWORD.EXE
980	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exechrome.exe

description	pid	process	target process
PID 3412 wrote to memory of 4344	3412	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 3412 wrote to memory of 4344	3412	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 3412 wrote to memory of 4344	3412	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 3412 wrote to memory of 4344	3412	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 3412 wrote to memory of 4344	3412	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 3412 wrote to memory of 4344	3412	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 3412 wrote to memory of 4344	3412	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 3412 wrote to memory of 4344	3412	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 3412 wrote to memory of 4344	3412	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 3412 wrote to memory of 4344	3412	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4344 wrote to memory of 372	4344	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	icacls.exe
PID 4344 wrote to memory of 372	4344	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	icacls.exe
PID 4344 wrote to memory of 372	4344	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	icacls.exe
PID 4344 wrote to memory of 4632	4344	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4344 wrote to memory of 4632	4344	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4344 wrote to memory of 4632	4344	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4632 wrote to memory of 2492	4632	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4632 wrote to memory of 2492	4632	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4632 wrote to memory of 2492	4632	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4632 wrote to memory of 2492	4632	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4632 wrote to memory of 2492	4632	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4632 wrote to memory of 2492	4632	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4632 wrote to memory of 2492	4632	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4632 wrote to memory of 2492	4632	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4632 wrote to memory of 2492	4632	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4632 wrote to memory of 2492	4632	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe	19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
PID 4932 wrote to memory of 1472	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1472	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe
PID 4932 wrote to memory of 1240	4932	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
"C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
  "C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\13536083-114d-4168-a139-9e914385e037" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:372
- - C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
    "C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe
      "C:\Users\Admin\AppData\Local\Temp\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:916

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Documents\EnableUndo.ppt" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\Downloads\CopySplit.shtml
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffa3bb9758,0x7fffa3bb9768,0x7fffa3bb9778
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1844,i,15202204774455331322,14844373108560989054,131072 /prefetch:2
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1844,i,15202204774455331322,14844373108560989054,131072 /prefetch:8
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1844,i,15202204774455331322,14844373108560989054,131072 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2880 --field-trial-handle=1844,i,15202204774455331322,14844373108560989054,131072 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2884 --field-trial-handle=1844,i,15202204774455331322,14844373108560989054,131072 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1844,i,15202204774455331322,14844373108560989054,131072 /prefetch:8
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1844,i,15202204774455331322,14844373108560989054,131072 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 --field-trial-handle=1844,i,15202204774455331322,14844373108560989054,131072 /prefetch:8
  2⤵
  PID:1672

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:664
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:664 CREDAT:82945 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4196

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\BackupSearch.dib"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:408

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffa3bb9758,0x7fffa3bb9768,0x7fffa3bb9778
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1780,i,12460141568731066162,9051105850424615976,131072 /prefetch:2
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1864 --field-trial-handle=1780,i,12460141568731066162,9051105850424615976,131072 /prefetch:8
  2⤵
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1780,i,12460141568731066162,9051105850424615976,131072 /prefetch:8
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1780,i,12460141568731066162,9051105850424615976,131072 /prefetch:1
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1780,i,12460141568731066162,9051105850424615976,131072 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4416 --field-trial-handle=1780,i,12460141568731066162,9051105850424615976,131072 /prefetch:1
  2⤵
  PID:1032

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1484

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\WaitAssert.ram"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\ShowSave.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
c41f6e14a1d4086113a9136ab9d2015e

SHA1
527978b0b887d76acd81dbe5f8fad37f15669309

SHA256
ecdbd035e70f5274c5b8de5fcfcdb0aeab975603789266f2e0f6954c9e16eef2

SHA512
7b65e990d88e21ba0f65e9e90c094c316a17927117d629849e80219999bcbf2a474e3d4dc725f8b0a452e9d2833cbeb4d478833d0dede6e99d133fbbba546e14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
7c707b5d212c5b80483554dba0cbae7b

SHA1
fa79e3347f98c65923d0d83fb6dabb5509ff91e7

SHA256
ab36b8497b37a2c474229c70356ee9b6ec2f55753b7e8593ef0e4cbf961dceb6

SHA512
0024bb0913dc390941f90d484ef443dfbbb56c43a360375a4c8fb1ed6c3bf949013628b83323d457e680a4802a2de7af951e272b8f281a5ffd3b5bbd9af1252a

Download Submit
C:\Users\Admin\AppData\Local\13536083-114d-4168-a139-9e914385e037\19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696.exe

Filesize
691KB

MD5
d26082c8ae68b4c546843f32325c01dd

SHA1
32dbba008b93a3c2f8fc8fadccf7d5c7ab096f87

SHA256
19f17c78dffb74e7acc35cf715689b8157b04b833e522b427b7eda1cc7324696

SHA512
2a1656d8c2cf6991780b0665a6815b58eaa31e1584fa6154207b540c5294e0c4848516d7f4717b6cf2fb70edf3ff9ca5f256035ab24eab88417396db80aadaec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
c86640aaa33658aa24db5a9e946108b5

SHA1
42a8819c961a6db7e165a84bab0781ef72e71d81

SHA256
bad1ea3662cf7bbc1c20e838088b1b20eb1cdc6060eff54f7513c67a6bfd0717

SHA512
5fea5255ffee9a38d99ff112b0ccadccc5c08458ba90d91655a92bbfdb83d921188bd1952893c934467d211b10e6b9f89ae8b4a5fe1a3db1124641f86897fc83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
a2adacc71f1516150e0eaa8184fcf449

SHA1
25ef668a980bfa96818a11cfe0c3cc8c1bf33e98

SHA256
5391559913237529239a61642785657589ce4a10b210ec34b8106fc8ba27041f

SHA512
5f3d2db461efcab6bae3c45450286123f7f4de60b0f5b51094c426250015f6f14e177f2bf1912783e73b546edcf11950e2e1f40c2dd8d7673574aa63708b36cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
317B

MD5
882125f67ef3aba59237f76ebf5ac512

SHA1
719593315df02bff2ead16cc241c510b34fecbd3

SHA256
6b479549c7ffcbf43e6081b6dce4e3398ef19ea56551b3741e291a8b007bf66b

SHA512
0c8ba22e31d1b7e421bf9ad615090409498bbf240951a91a9a4b5fb907698c6d0a1a3346758fc8557e8483a2bb0aa7a4b25b18724119e12efa64ecf10cc8c3ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
c5d9c2e6bb087b84a384ca8dfb8fba36

SHA1
9dc4ff2eb411b63636002c29c42bf2bff137f879

SHA256
b9ba381feb4f2b45f20158d8ee767103c19a6f23c9b5ec6479635e21f5f884b6

SHA512
13c7432ff05a9fa61744e3e96234fd0a1afe91ddedbc7667218b788f1d56d451a136c43123bb7b2d2c7461e2de8be20ebb1f24d4c662398d238277e24bc4ac6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
d7c0d85c73e223889477ab4570368778

SHA1
ddb580c6ae1714ff423c235794030634bbdf77a9

SHA256
b32ccbd9371c96cd130bd66801e79103beeedf92612403e97aa638260f49ec56

SHA512
092ca486ad666792f1cee45a684b2608da0174c78329a37da99ad68cd7fc0ca3be4d700d080149e969f6fbb5d029f6936f979d14459125798bc5025c70b616cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
751B

MD5
c6463a6f1df335f84df9de0b8ec756e5

SHA1
9abd4c1b96b1d49d4cc6552075ff6d42e1b6dca7

SHA256
3cd1f8eed37af8c76898f137085e04754d3c1462e5e1772228d8b9f48084146e

SHA512
dba50b0ab82ee0b9ed3ad6d53511fd971b1614214024c604e98dc550b21f3f5fafb9c4a8745f973a5f1454ebe7c5bbeed30752a947bd59f746d2ebbcbac01261

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
602B

MD5
b852b883f1495fd9b78e30debc8c5023

SHA1
caa407e9565eba9a68230e372164567ece332e35

SHA256
e8803bf0dd41151e3b8790ae88bc01eeaeec4d8c0b2e5fd7f923a12a185e4df9

SHA512
e241fe83ae4e946cf7357563d3796dd15a48822b8799ca7caa1bbb727cc659f8ae21fadd354772ba11125232799ef9dfb21decf877f37c228a65503d10347af7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
4c0fad1d6e14587b8e0771def909d8ed

SHA1
b70c9c23bb0c17ec390beb900b8d18d9bcbd7935

SHA256
7fd862775874e1e2b7f3cbda04b274b62cc7c84eda26f4d57d0dffc5df5e392a

SHA512
abf9cacf03fe20c09c4e8d1855b7c2033871981c6a6ede14f48876dcaf1c65a161504c16d3c89193c7864b7acf8c99088b8c24854bb18ff45bf3f40b7f951dee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f1a978dc903f2ab151d3ac5f6e7d569f

SHA1
3d7029756704f8bd208cb94858445dcfda008482

SHA256
c5c20ab92defb3c5a3a750b0bb17264eb5d207bf8e95e0bb89094266465534c4

SHA512
bbafdd1cc8a029c6ea0b4f94c5616a47e8527c31941755f15aeb13850fe91ee5646d689394ed2c8ade35b878a08ec393b25d5d7fff12881e0488cf946430aae0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
191f5ee7c539673259de505af12254e3

SHA1
afcded4d6b5be92cddb09e34919e66d18ae1aa3d

SHA256
8d4fdb547cff625a496abc9e94ae56478bdc0e0d36cf9f19ea7bddf439058ef0

SHA512
acfd48a224d3795cc55c01d8d6c2ffd339239334158969e43b0e880384fd6ace8682b004e178c164306d954d6e1e356dd81698e9103fc81ab1aed12b3dfb3b1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
cec99b3a8792352bc6a0ddbdb5e92d50

SHA1
a2ecaa85e86543f17a0533b8dbc8dedb17782171

SHA256
86c3acf177959740ea45cc5f0afcdb16ddfe8b37dc000a407bcf7e9113d48a7a

SHA512
ea9d16eaeffe78889bbee72ea7cdff5e49a3dc360e1a0190e873c0c69a11dda24eb268a79c59fef2799cc57318c8e098664cdb690b1ca0d07e483648038c90c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
213B

MD5
046cc08d163fc4578cd1b77a5d0965ac

SHA1
92f503e605c30974baf385f1619f1269b81dec57

SHA256
693a60684aa9ff4f01cb6027e9c938f4701c0c898afc224a0776cb1e18e87166

SHA512
e8b1df36a237bcbbad897146ca247edf75466b2a4030fec620c46932b5c31137f2931cd2758534e4308aed3fb9cc40edf2d7646a38530bcc5e6d7069c19a3b1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
317B

MD5
332d7e08b12547044d7123ffa4f96b3f

SHA1
90b1ac7b36fafa56fa7f3a16f1ba6493131b5e16

SHA256
171eeb4d29e660cef785ae4d190841b7f041ee208d61c1b697c84ce5fcc52ef4

SHA512
171214f99338dcfeb7f24cbafe8b6abe4d393139e04fe1aec42ef5fd020888017d04c865d9f628a57430c03a064d8870130ad2f704c0ed703adb42fd0def429b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13371222575241002

Filesize
1KB

MD5
931c72baecdaf03575ffdd9f77da7afc

SHA1
406f47545617e722c0e9ff215e1f2b6ebd36f10b

SHA256
514a576ec076d1f199b0d7727fad9d3143944a3f754ad6d1495c85e832baa244

SHA512
6807fb9c2c24915c203d5108639a46ae3b54d2c3ab01b44fb3ff7ba1b9bf47c63bb549ab2d5a9749edb49fbf17555cd8b4b8a9992aa959b3ddc94f2265054534

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13371222579631002

Filesize
881B

MD5
c6184c4d253d76209d61987b0aabc12b

SHA1
47546987c9582b32f6975eef4988f42c06e127fd

SHA256
31a7f224ace180b29f688576b4f5a1565ac4d4510a7b66ae5730a4b586ce3799

SHA512
b2ab92cbc9bf33c1a5ab6230009782319058aadd5b4489498ae78de43fcb957f219db689b7318e4058662fc964499657711c9b46e889594ee3022211dd6aa140

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
7e87095af2e9ccf3f7709eae94f3d8c6

SHA1
215744dff129c63c8cce9de8923ae6ffc9f23f37

SHA256
c5a020acae6ab393997997a0ffc2497424c1fa5d3b1060a7c443e080bf4983e2

SHA512
ca244833ad13bf6e30fb9809e3afaaa8b8d2df5179672ed6fd1779db850441f1d5123336d18454e4269ec89e0bff7510c83ab95d701760677a51b2d307bad9f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
8KB

MD5
25aa53c863c7c6b14623fdd57f11f124

SHA1
2069aa1e74b7249d4adbb1448c8c3dc9ca8c0bf2

SHA256
a95a6b60019464ef8fd4f2923c9173a5b23559989a53c468adee667d1f4ba789

SHA512
3536ecb11ab4e115029ebe8123e4d6ebd10080f5fa5a353dde8177b6ae063fbaf20127fab1a6405a90ea08f2869912ae774128255bd474316f702ec16f0a68f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
93e2f51229ed0329536a5b7b8b16cbc5

SHA1
bf2e4810a0d83a8b5fd4c1aa2a065837189a4a74

SHA256
9b6ae5234f26229068049853037ad96014674bd93424f712e29ff989d91549af

SHA512
9edf551b70672c8a0aab367ac8858a076bdf8085739e4e2185e7274daab861cb477c85c74a1bacdb6298a4540fbb32ca40ec99c26cb3749086693bfe068efa0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

Filesize
128KB

MD5
58cfc5a50dab01e23da49835c0118234

SHA1
c983e7e6c49add18e0a3cfd32ce685e98633861c

SHA256
b06809529f324c10e81f0c5e7954bb9439a1824683bbc83576e49f76fffcf735

SHA512
cbc7ca0ee7022a46caf910fb0d1a9c5c5030a283ea633930783716e484188bcb6ab74b2eea97defb4684b685328eeefc0c766002769b8e306babca53e40bbbaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
909B

MD5
c276f2e9bee3bb5971adc8241a012e5e

SHA1
47df3ae76eb9f166426be5ffe81703f937650d19

SHA256
c65c3f6aa5197b39ffd0e6aeb51316ead64891d04ba8b9047690dd8a1b00aaf8

SHA512
14459bf3645f9e2e86e4deb7b8842388930b787bb1d8aeca384050d2e9a33edd8fb481eb953035bbe6f66decfd0ae4dc613b4c5b8d3da699bc51a9e60619ef18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
317B

MD5
d9185fcb68de025e37e0ad49f6e33e17

SHA1
06690ca69a634b056771ddb90920b3e2285e80ef

SHA256
c1379651af06065b4733f6237879cf4d4e938fd5f439cf48fbcaf1edd4ca0ebb

SHA512
c1ef1f0fb981f76606be1cc0a24f80e32caea2436aa24a6f1e6248553519724faef4674e9efe6245ba0781cce510e3a21fcee2e0ffdcb5d8d773b595448fdd29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
860B

MD5
ee7e5715400d77ee74f9051f06e395b4

SHA1
09e90396bd36c59188baef8e52e66c997f69035a

SHA256
273dc4ac2ba19ffb32b4360b6c2e9bda9cf50030b0b8af539aa5883977cf80d9

SHA512
b74d6b86c3779731befeeb95e57949a55c66faadd0a6871091ef6f2aad0b80b1d34edf5049a4e9b6a06a2be99f0a17ab4118c65681b955bc374bbb293668475f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
5a4b15eadd7a966e6af3487f20d5a5c6

SHA1
ef3cb56f0a76f31ea14f7bd502d314c4f6d55d9d

SHA256
bdfde4b3447484aa055d1294966cbb652fc8c74b6bee16bddc26487b06834a85

SHA512
90aecfa4db0a425dae2d63b3b6871dfde748e48f0fc6c64ada65a1769e433e62a0da1a87749c1b6e739097671ef1eb80c44cf8ad0584d9d40855dfe5413d8879

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
79c18c8eed86bf7db762d393f85cc9b9

SHA1
b6723dca260ef180c3560d4635ce0d8f2ab45c5e

SHA256
cca6b31f672974e269206faa65c9be2c242d14dde78780d1af84f40d105f7c41

SHA512
3c3f9bc0f4f764cf6b8c3033eb9b5c89413515ffc8220dbf49f60758d2d08cb5efe192cb2b2b71ee1beb90e7480475f7e6eda46de8c67753b5a2c5c120c32458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
fcbfbdeefcb71de5e95e2de583ac5863

SHA1
8f4265049104ed9530a82b0de47484e7b9a10dab

SHA256
cf1b9b448ccdc4e95179cd104e38f9982b17a879f6bcc115b1f43d8fd7eb7d04

SHA512
e14533fbe73c11a7c61a990706eb1549e93032025eaa14c564057528d492047153a3f93612883c929d975badb800a0a9b32fa252fe3b086219e94a55efdc7422

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
15e961a6d6bc98530ef3cb5bd6cc1e06

SHA1
a5fc662418b6608e394376e631908622e06a7988

SHA256
8b2deb26ac009e0a0771b3c9b4a02f0ea0e56da91005e3058dbf4e8b94140779

SHA512
84cceab8e7d7cc8a0568584997a87fe580be839b9fd5688bce586876993d1642893fcf7862a9a5159c5dedc779b23b52c2cdbd2e8e93c4982a018b47fa706c9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
305KB

MD5
86d22b89fbc83d274de445cf6d04da33

SHA1
355964c3a7e3e4bd7239898c9b77ae69ba07d8a5

SHA256
cf673564e3b38f1f8707bfd96fb08ea421c18ba8f15a29a20e8a58fb3e3951cb

SHA512
f0dfcef7b807238f35adf92260b32349230105cfb4bc05710875529f27e281fe09786f397cfd142023a50b620526870820da2cb4ccc851fe95d4a9dedafb1c00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
11f1d706ac63fc1aaee78df285926097

SHA1
f5f3d225da1de65ad8b80d3a213886327ef95c21

SHA256
9821c8158e90f31a4015a652c1c192ea42b942608b04d01705cc6ef2a2f24c3a

SHA512
f33fea085b937d2348648c79f67c6bf4ffe6139daf4f53b6608cc047aeff3f985245594d8fa1d7a9ae152919829e14c283918d3e475a85d05e83678737fd06a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt

Filesize
4B

MD5
d60c034e16e3209a78af0a0b0147f5ad

SHA1
b83458a72b915a29d12332450cea7aebacc86b58

SHA256
f2f053cd7f22cba15351bdff719b313ae1f254b3b288d1fce80ee0f9a12e4144

SHA512
bac98dafaa72773a6acc30479c60bdd4d87460b08d398561863274ee9aac92db148eebaa2edda804cd87a17bed4be1d55f6ec4721b6156d410b7426b091fd895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\490854DD-AD89-44CE-BD57-EFDD5B778BB8

Filesize
171KB

MD5
a5ae1ff3168a1b23c60e5eb0ab88c483

SHA1
d26fce22543be9c89e524ea985e89df26c9287dd

SHA256
cc34d53c103f857ae0d6bda2ac15b23eceac48d939c37925b4597514e26f5c19

SHA512
e5a951eec7e20c67400a4994660028fbddbb172db33c58010f62578bacd395045bd60cfa334067b37b497937435531d7e9c3c52e8988ac425f2257b22f9cf382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\74a0ad00a184813f0b8867eb2f8dfef7227a18a4.tbres

Filesize
2KB

MD5
5561a40d6e382489de02db2f4743df53

SHA1
f859fe18852f0a1f2c07bd3ba463f4855205fbea

SHA256
f9f6a9f0427bb0c3266782a644eb572997d6e705c66ba76988e6b5b695f45679

SHA512
016281db5950a860377d4636526554eb05ad511330f5642f5bd8d60327fd67d1cd6f7abe98491c5cf09171e7e4e09e083dc5910f96a2b9c3682c3c388005260c

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
76B

MD5
5b1268965d7951c5b388809a73540120

SHA1
67542ce6f8d27420d9dd6d9e12536f03d089649f

SHA256
d3497fe5bd56a146e4c920b34c4cb7b001cb783e3f8d37cec08a012ff23c797b

SHA512
614dc4bffe90cfb7dda963973b924e7ccaa06edb26bafa8242c95ccaa0f99966acab8dce982da48dfcdf72b5803b967bf8c1ff00de1a3b182dc8cb81a8498e12

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Ya1584

Filesize
75B

MD5
3f9e7b9425ae8b47635dd9b724c2f700

SHA1
347c53acbf61f67c47dcfcc97db61a72b0bb65b9

SHA256
e6f62d8754da4713df04704f46195cff908af611426e5b79eff91a1681af7330

SHA512
6488fa598f689ded73f437fe8573c3d1f7d57408cddefc5d6ccd95b43c6fc2de845dc14e9a682d8c877a4d60896b01dac88789b309182d6dd235503b1f96691e

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
f80254116cb047d5105872282162305d

SHA1
31ff6b5c17a9228a55481e63bd84ce3970982514

SHA256
8e7569d8da6cf6254ba7b21850f37808f614fd145821d88f4928bef8f7a9b8bd

SHA512
05ab22a48e7322a86cb8482a136a2534b0db37ee30855722750feac74bcae16eead18101b8196392e9f06db3d042afa1ca171047581bb2cc57694c37cfd5daf7

Download Submit
\??\pipe\crashpad_4932_UIUKSIIDEPPRQKDE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1584-503-0x00007FFFA4C20000-0x00007FFFA4ED6000-memory.dmp

Filesize
2.7MB

Download
memory/1584-511-0x00007FFFA32D0000-0x00007FFFA34DB000-memory.dmp

Filesize
2.0MB

Download
memory/1584-512-0x00007FFFA2220000-0x00007FFFA32D0000-memory.dmp

Filesize
16.7MB

Download
memory/1584-502-0x00007FFFB4760000-0x00007FFFB4794000-memory.dmp

Filesize
208KB

Download
memory/1584-501-0x00007FF761390000-0x00007FF761488000-memory.dmp

Filesize
992KB

Download
memory/1584-504-0x00007FFFB4710000-0x00007FFFB4728000-memory.dmp

Filesize
96KB

Download
memory/1584-505-0x00007FFFB46F0000-0x00007FFFB4707000-memory.dmp

Filesize
92KB

Download
memory/1584-506-0x00007FFFB4400000-0x00007FFFB4411000-memory.dmp

Filesize
68KB

Download
memory/1584-507-0x00007FFFB4390000-0x00007FFFB43A7000-memory.dmp

Filesize
92KB

Download
memory/1584-508-0x00007FFFB2470000-0x00007FFFB2481000-memory.dmp

Filesize
68KB

Download
memory/1584-509-0x00007FFFB2450000-0x00007FFFB246D000-memory.dmp

Filesize
116KB

Download
memory/1584-519-0x00007FFFB0310000-0x00007FFFB0351000-memory.dmp

Filesize
260KB

Download
memory/1584-520-0x00007FFFB03A0000-0x00007FFFB03C1000-memory.dmp

Filesize
132KB

Download
memory/1584-521-0x00007FFFB1C50000-0x00007FFFB1C68000-memory.dmp

Filesize
96KB

Download
memory/1584-522-0x00007FFFB02F0000-0x00007FFFB0301000-memory.dmp

Filesize
68KB

Download
memory/1584-523-0x00007FFFA4C00000-0x00007FFFA4C11000-memory.dmp

Filesize
68KB

Download
memory/1584-524-0x00007FFFA4BE0000-0x00007FFFA4BF1000-memory.dmp

Filesize
68KB

Download
memory/1584-525-0x00007FFFA4BC0000-0x00007FFFA4BDB000-memory.dmp

Filesize
108KB

Download
memory/1584-526-0x00007FFFA18C0000-0x00007FFFA18E5000-memory.dmp

Filesize
148KB

Download
memory/1584-510-0x00007FFFB1FF0000-0x00007FFFB2001000-memory.dmp

Filesize
68KB

Download
memory/2492-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2492-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2492-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2492-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2492-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2492-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2492-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2492-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2492-28-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2492-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3412-2-0x0000000002230000-0x000000000234B000-memory.dmp

Filesize
1.1MB

Download
memory/3412-1-0x00000000006C0000-0x000000000075E000-memory.dmp

Filesize
632KB

Download
memory/4112-232-0x00007FFF80200000-0x00007FFF80210000-memory.dmp

Filesize
64KB

Download
memory/4112-61-0x00007FFF7CB80000-0x00007FFF7CB90000-memory.dmp

Filesize
64KB

Download
memory/4112-235-0x00007FFF80200000-0x00007FFF80210000-memory.dmp

Filesize
64KB

Download
memory/4112-233-0x00007FFF80200000-0x00007FFF80210000-memory.dmp

Filesize
64KB

Download
memory/4112-49-0x00007FFF80200000-0x00007FFF80210000-memory.dmp

Filesize
64KB

Download
memory/4112-50-0x00007FFF80200000-0x00007FFF80210000-memory.dmp

Filesize
64KB

Download
memory/4112-51-0x00007FFF80200000-0x00007FFF80210000-memory.dmp

Filesize
64KB

Download
memory/4112-48-0x00007FFF80200000-0x00007FFF80210000-memory.dmp

Filesize
64KB

Download
memory/4112-60-0x00007FFF7CB80000-0x00007FFF7CB90000-memory.dmp

Filesize
64KB

Download
memory/4112-234-0x00007FFF80200000-0x00007FFF80210000-memory.dmp

Filesize
64KB

Download
memory/4344-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4344-21-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4344-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4344-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4344-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4632-27-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/4632-23-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download