c1116053bbac19ab273dc120c2984c235d116cdcc9e3ac437951b55465fd7063

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dmr_72.exe
Size

508KB
MD5

da9e9a98a7cf8da14f9e3c9973328fb7
SHA1

42e37cbfa37877d247ebd37d9553cb6224d6bee6
SHA256

c1116053bbac19ab273dc120c2984c235d116cdcc9e3ac437951b55465fd7063
SHA512

ce98f1984a3db301df7c1078dc6014fc1a03a1643c5635ef59775ee8019fbae4e07c16e99ec3d1998f45947d57493ada96e5116c359a590b14573833eec17343
SSDEEP

12288:EXQrSFtNwn1jAh0zOFJ2+l9AlstfWETRN:0wn1jAh0zQJ9TtDRN

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1496	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4532B4E1-813A-11EF-85F9-DEBA79BDEBEA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d05aa5194715db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb9000000000200000000001066000000010000200000003b87531331d7d2748f85914202e1319e6ea165ad4c9afb828f631a032e68be45000000000e8000000002000020000000f274ede85b7e13466b06f0cd2b12d415f9d592b07b61534bd8c15121fecc30e820000000c68e5b527f34f4f103d9a12efe27067e8684b71502af96c5a5bcc4c3c442bc5d400000005b8e53dffe46a65327d948bf13d86d670e748325633f86ccafc582ecbf338915905a1e361bb912589e865fc2daea16b7b83a2620ad956c6db95d6ca12832ad97	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000c7e3f3d64f1ba786626aac2e9c8e07932fb93fb9ca686c9fe57850b456576e15000000000e8000000002000020000000f26176581ad313b131c162f3597ea3fd634928db3580ffd9d3cede88ad2ca74a90000000f56476bafe8653593c6027b222de99b7fc235bc915c7b42c5ebc8b7b44d1d7770a77e9b405ac69695a6988b531830ec1a11a22d85e0357095e7fab66c146cdee0cc4b04ef4335b85dfdebd94b487235e92f337949f5adb34efa355a7bd57af432eac4aa82d9378f5732f00400a44f173f39815cfdd529954ea373fe4ebacf34d7e7a464875667393f8805c7afb114887400000002057e9748ec6166374975e5a5526a985891ec3f129c496adbbb16079da6ecd73b915f50003d46f29849fe992b41a1cd1e8b0979e4251d28b43736214a87fbe3c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2860	WINWORD.EXE
1984	vlc.exe
2228	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
448	chrome.exe
448	chrome.exe
1696	ehshell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1984	vlc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	dmr_72.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeShutdownPrivilege	448	chrome.exe
Token: SeDebugPrivilege	2376	firefox.exe
Token: SeDebugPrivilege	2376	firefox.exe
Token: SeDebugPrivilege	1696	ehshell.exe
Token: 33	2180	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2180	AUDIODG.EXE
Token: 33	2180	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2180	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
2376	firefox.exe
2376	firefox.exe
2376	firefox.exe
2376	firefox.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
2232	iexplore.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
448	chrome.exe
2376	firefox.exe
2376	firefox.exe
2376	firefox.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe
1984	vlc.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2860	WINWORD.EXE
2860	WINWORD.EXE
1984	vlc.exe
2232	iexplore.exe
2232	iexplore.exe
316	IEXPLORE.EXE
316	IEXPLORE.EXE
2228	EXCEL.EXE
2228	EXCEL.EXE
2228	EXCEL.EXE
2228	EXCEL.EXE
2228	EXCEL.EXE
2228	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 1228	2860	WINWORD.EXE	32
PID 2860 wrote to memory of 1228	2860	WINWORD.EXE	32
PID 2860 wrote to memory of 1228	2860	WINWORD.EXE	32
PID 2860 wrote to memory of 1228	2860	WINWORD.EXE	32
PID 1728 wrote to memory of 1496	1728	cmd.exe	35
PID 1728 wrote to memory of 1496	1728	cmd.exe	35
PID 1728 wrote to memory of 1496	1728	cmd.exe	35
PID 448 wrote to memory of 804	448	chrome.exe	37
PID 448 wrote to memory of 804	448	chrome.exe	37
PID 448 wrote to memory of 804	448	chrome.exe	37
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 324	448	chrome.exe	39
PID 448 wrote to memory of 2204	448	chrome.exe	40
PID 448 wrote to memory of 2204	448	chrome.exe	40
PID 448 wrote to memory of 2204	448	chrome.exe	40
PID 448 wrote to memory of 2328	448	chrome.exe	41
PID 448 wrote to memory of 2328	448	chrome.exe	41
PID 448 wrote to memory of 2328	448	chrome.exe	41
PID 448 wrote to memory of 2328	448	chrome.exe	41
PID 448 wrote to memory of 2328	448	chrome.exe	41
PID 448 wrote to memory of 2328	448	chrome.exe	41
PID 448 wrote to memory of 2328	448	chrome.exe	41
PID 448 wrote to memory of 2328	448	chrome.exe	41
PID 448 wrote to memory of 2328	448	chrome.exe	41
PID 448 wrote to memory of 2328	448	chrome.exe	41
PID 448 wrote to memory of 2328	448	chrome.exe	41
PID 448 wrote to memory of 2328	448	chrome.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dmr_72.exe
"C:\Users\Admin\AppData\Local\Temp\dmr_72.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ProtectTrace.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1228

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7559758,0x7fef7559768,0x7fef7559778
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1268,i,3717941285735913551,5256511841000324634,131072 /prefetch:2
  2⤵
  PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1268,i,3717941285735913551,5256511841000324634,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 --field-trial-handle=1268,i,3717941285735913551,5256511841000324634,131072 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1268,i,3717941285735913551,5256511841000324634,131072 /prefetch:1
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=1268,i,3717941285735913551,5256511841000324634,131072 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1300 --field-trial-handle=1268,i,3717941285735913551,5256511841000324634,131072 /prefetch:2
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3344 --field-trial-handle=1268,i,3717941285735913551,5256511841000324634,131072 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3448 --field-trial-handle=1268,i,3717941285735913551,5256511841000324634,131072 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3572 --field-trial-handle=1268,i,3717941285735913551,5256511841000324634,131072 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=1268,i,3717941285735913551,5256511841000324634,131072 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3468 --field-trial-handle=1268,i,3717941285735913551,5256511841000324634,131072 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 --field-trial-handle=1268,i,3717941285735913551,5256511841000324634,131072 /prefetch:8
  2⤵
  PID:1260

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2304
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.0.2097648448\654468800" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1092 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9688068-afd4-439e-b8c0-098d7cf9cc60} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 1364 104d7458 gpu
    3⤵
    PID:2436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.1.1511516184\1529023527" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {659a2f71-5066-4c5a-995f-a1bad82d6c25} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 1524 f1ee858 socket
    3⤵
    - Checks processor information in registry
    PID:2740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.2.575352844\895474184" -childID 1 -isForBrowser -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53688eee-c3d5-4699-b589-2faf10f13b75} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 2088 19d67758 tab
    3⤵
    PID:1920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.3.1416857006\999302205" -childID 2 -isForBrowser -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0ea3e11-31a1-4fac-9295-ea399899d481} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 2460 e5ee58 tab
    3⤵
    PID:1608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.4.480542698\1183069457" -childID 3 -isForBrowser -prefsHandle 2524 -prefMapHandle 2520 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a526511-b562-44f3-aeb9-fe4eab699b06} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 2792 e5bb58 tab
    3⤵
    PID:2244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.5.1151881567\1049607417" -childID 4 -isForBrowser -prefsHandle 3928 -prefMapHandle 3924 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df4e5fa5-d4b6-46a5-b584-65eb652b53ef} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 3940 1ec84158 tab
    3⤵
    PID:880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.6.1751853167\378824965" -childID 5 -isForBrowser -prefsHandle 4056 -prefMapHandle 4060 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {edca529e-7d30-4285-9af1-e57d7e25e742} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 4044 1ec84d58 tab
    3⤵
    PID:2884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.7.71990700\1702017589" -childID 6 -isForBrowser -prefsHandle 4248 -prefMapHandle 4252 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90951951-b10f-415c-9196-3a7887c7fbea} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 4236 1ec85c58 tab
    3⤵
    PID:1604

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnblockFormat.wpl"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\eHome\ehshell.exe
"C:\Windows\eHome\ehshell.exe" /prefetch:1003 "C:\Users\Admin\Desktop\StepExport.DVR"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x540
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SetStep.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2232
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:316

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3060

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb060ab0bf07af4765d45a499a307a0a

SHA1
b4c3da62b557295557417a3ef2d1736dfe7a7130

SHA256
b4d6b48df87cefb1f6976ab515e2b18a9b278cad7e05d3a9280df3befbb2859a

SHA512
76594b057d6ee52089343dcc4a64165bda044af86defccf27ec5a751b3c629d6c2320f21016656d777ef7b01af2fb42d4c6c268ee3b7f9cb18c1fafdfde08fa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
501d7daa5ea324ab48a878648472f79c

SHA1
bf9e063c0268865ec09a98f809e02350585ead39

SHA256
25199cf7f1731fabe3f5a40bee74c55acd5e411907168f45001ab7305fe3e4fb

SHA512
289e9b11a290c8df1b2009fc8fc2c8634bef062c69a2cecfc448dec5ea682bb1ff9987b6e25e295d5ad6b8a7a9134b685bc4726ddb78c84f4a1c61601f86c756

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d0fc952a53c6eee18634de0a0805cb8

SHA1
274f44acac3e2af9e742feeb553aa6744e7b5c88

SHA256
fab2a69cbfe33a5cec2bb4ec004a6c4a147e7a4ad59410b426846b4a9ede486a

SHA512
50534d3a1fae76fc5abd31f6fa6f0b9302cc81ca17c9e16e93b6352851270a5b6bef1b6bbb472098c08867e5f8252fce616f65754048d4b0964493d1f1c027e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53b121e35f25eabd9d5a8328c9a5097b

SHA1
f049aac5ec9c009ed327200e67f9315a518df022

SHA256
97287a67f303f79755c3f3fb391566a12fd2bc508d7bf411f56ca94f4d9f63a8

SHA512
13b6f32e3de9702191c10f10b15b8f03e1d19f56d7bd8733ce3aae0077c9e1e037624715f9df81c902670b434c893da389dcab8d1ffc6f603797f6d1d88c5fa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04a5395f96c62169d0f451fa02fe3628

SHA1
eab6bfc7e6a85ca48c6a91d8ebf2c1757da1c284

SHA256
3473d31cfe82a4ac81c6eff2c25736b302286bafd60f8a274b48f87ea2ff5f6a

SHA512
b0ebd7fe9052f756fb0c291070361b36f96c616e6d3e930b2c02c40dc8cf31fd0c4492e4d4ea435e11b9e7b7b0e527f8da130513e455962acc5ecd5df7e82cf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9a7f6f784e173978e01f536eeeb8e1b

SHA1
4509c47f690ee274bce5be41a23626d4b3618e05

SHA256
6bcf6a6c7e850b6b99646d134778ec524d32ce05cbd114adfc4ed60d0e591aa2

SHA512
74137cc49306ab8ae7faed3f7acdb7a6e75567a384c6198f610b59099bc521d8887d6b34403a2b912647312d09be64400c73abc41006d0cb45e611d99fceeced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e0fabc0eab69191b20f0bbc6b8b2423

SHA1
4ba047d9cc0f356982543ca243d65f6884a3ce37

SHA256
9cc501ed69e3ca4d1a907d2cd3540f2a58b6a683a50ff212dea0e949725b2020

SHA512
f09a54ec7bef02dc03d8ba5a91811ce108764ac85ecf6429be442e73041eee1f04e66977e0ee8e0ea3631f106563bb7f0b8adc8902f27d462c0b94f54a8169d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
442d3329b379b6b0ab1f1227a32f8241

SHA1
da6a89328d2fc28386305fd4e0bdb008eaa35378

SHA256
3263608e0baf6d45f97294ae1b405c0af5a2af32419b1e400db42f74887aed6d

SHA512
d4b929877e1972d9d7ace525da200f1f094e6ddbad835601165be6d4ef43aca949b02bccbdee5ecf1b3ba607fc5f851d09939c06117c546413771b1068716dc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
132d82e17836273395c0b3538b67a410

SHA1
655f010ed268ef885129e3d6ff4a728e96545909

SHA256
457159cad90faeac3f670177f291ba110daccbe2d45dbd61250be6934b2199e9

SHA512
423e75f966a43cf34b805421fb5af6756e923714e999f8a7abcbc5c81d21c56798b0cd00b9e0b452297c326cf5b5755fe2028bf0a6ae6f8a19b7edc99ec0a2d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4d02d508-604e-4cd8-a824-6dfddb1c8aea.tmp

Filesize
333KB

MD5
f9089d9d0cece234deb27cb4f7805807

SHA1
cf24a1bacd47d4c82ccf234d1c38fa6c0e333f68

SHA256
580b02caa6d331e7345991fabaa503668cad31b9888948d6bdfa65bd31eed4f2

SHA512
a0182d505c54874c6b167a74577da6a74f2d32fb342f53ebcd86374ef6ae98a8ac586b7eb1129e37aa9dec88fc5e5174a816d88458da329899e8b6b01ceb4f32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.docx

Filesize
12KB

MD5
e13bda57baac73c45e9b83cc2169f090

SHA1
4e2de1fe0306843204950a7efadcad75d095dbe3

SHA256
33e34118ea140aa3e0713bddee6dfd0438b2f8c19aa2ee87a34e635b629c83c1

SHA512
ecaf0a4dc2f7b253b679d1aa7c301a0fdce6776717146d86be22c2af81cd052fe9c14eb35649af343f45cbd3a97f93d2fc0d27654922b4543c6d3ab57df1355d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0003.docx

Filesize
12KB

MD5
66bd6c3b4925566e5570c79f185f6469

SHA1
6713798345d1852806bfd6dd623b256c034111a0

SHA256
1fdfd42c6978504cdaad1fdd5f89ba97012918bfd97582451e525eb0dea8e6a0

SHA512
964bdecc5b5ab7c09a183fa9876b05848f7a2593fa6e94e05eb9c4388b53ba3fc1e11dd88f1ac8412f7418d1d03cbd13f8afae30886d7ad1286993369c077a3b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
e989affaa5f6fc2e3da262de3de55d2e

SHA1
492c9502ef8242199a39e425b17289ff88e4f266

SHA256
5f67559b6ede0bcbf30cfac8ed90fb02e283e1d2d6989e164f550b0cca4a5f12

SHA512
2eecce556429eac0643c3d6fb06e660a9a0b119a281ca5053bb1a45180359b2a650c09ab9e5ee197b1220317fdc3ba70a7e12f48e0e37b6bf1b03dc3fe383fe6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF568.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF5CA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
449B

MD5
1261fb88a2ba94e6e85c7d9d073b9bef

SHA1
91f5173d76b8a1b6d68de7157a76adf03a9c8def

SHA256
f2f153a96fec3e9faad1e433f0161be5af2fbc8cb64ac1638444904719dc78f1

SHA512
aac4316bcf7bdad7ddd2094b118b3c5df16856aca66547e7fa11f8b869b6415b6e326609faa7ad95559fd355119e3157c24f322a84360dde22f9ccc3940e77e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
257f886773eb9468d4e83927c71e33be

SHA1
7ea3d9d413388cf3b33862e257b63fcfd33ac91f

SHA256
8dd696cf937f8070c31f33762bfca599687e2ab56afa63f48b543fb7ecef2e0f

SHA512
14bd1010eba769ad7987500e7b2646dc676fea05e8828f981d32ff7f55f380ff84c516e80085304a3851fd29670a10b97c4cf4fb4b7618bdf58c2c327bb09f5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
549281ce01e5efe9c9930e1039801dc4

SHA1
54feef6aa4f4d334b80ec5b4b59ef3c0f1439b86

SHA256
69751a9dd34fe0940810d4e5940a69e6643503553aa3ae700ec85dc50d2adaf6

SHA512
edd527ec1386686ff6a4c531257892e04db33f7f581e6556b32765ddd16cbc6b2531082ac5a9d1c82d6ab9c747a62329485215d90cd3e7f2b8dac44b18a7bd76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\9f4fa947-66ba-400b-acbd-ad15716f8fd6

Filesize
733B

MD5
9c2910d7313a008d4ef6c797c803a220

SHA1
8016e39cf8544595d1474cfe1c9c160f9c1db2d3

SHA256
7dc5cdf3eeff0f4f3346ee2e2636539839e72b6f57c7517d40f98c9404f12a75

SHA512
11a57856d820407caf98a0b05a066228219d19593ee8b80dcc1959460c713942bb7026c7fc3c8397708e8662a6f72bff98dba346bc378a367d55b3eb24b21808

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

Filesize
6KB

MD5
ca74858b4210a108c32ddfa56871aa4c

SHA1
c1aa87297ee79d539f00241628d15b38bf77787e

SHA256
5ebc8b6b4221aa534660e679c6bcdf3d94e94afa9bbd1644856d96b8ccf0b287

SHA512
77eb2171d2ee8f231f982ad982b20cf9f9e81e43b2ee55534bf859b5aa0f3fa0730ee3c53b4424cb4dd3f3054c4fe4c5bdbaf2d5b0daf963feadb70aa654fe14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

Filesize
6KB

MD5
556ed78336ed6adab198ef9f9f57c1c3

SHA1
bc0dc9be8d03cd78c9cdeb99e6264b6d19105aa7

SHA256
901e9f5427e767929c37b55f09b303208bfedd77a3e86a9780c2cb08c15ca905

SHA512
4d9ff8260aae5022946f062abdc0cbb2ca430025001573feec239aa4544d5b3eddf7f6b4bead4d70b93b7f7e2440572fce56042230f15ebe572748eb1ba1b4fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore.jsonlz4

Filesize
832B

MD5
abe840e9c6a69df2791a458551ce01e0

SHA1
7a7d7f22f751f57615d360e4332157757f88bbf1

SHA256
23d89f702ef723c0a9542884b692e4fd3d46a227b49ade2af027c660f828f36f

SHA512
fb29cc53ae65c70725a77bcbd43da3df725c5feffeabda943ede21c3e5b2d57be4e2b151f2654af6d612ab3d5349f05ecad80976dac520cbd2ddea402dee525c

Download Submit
memory/1696-441-0x0000000002060000-0x000000000206A000-memory.dmp

Filesize
40KB

Download
memory/1696-439-0x000000001C1D0000-0x000000001C207000-memory.dmp

Filesize
220KB

Download
memory/1696-440-0x0000000002060000-0x000000000206A000-memory.dmp

Filesize
40KB

Download
memory/1696-434-0x000000001E910000-0x000000001EF18000-memory.dmp

Filesize
6.0MB

Download
memory/1696-435-0x000000001EF20000-0x000000001F0A4000-memory.dmp

Filesize
1.5MB

Download
memory/1696-436-0x000000001B960000-0x000000001B9FE000-memory.dmp

Filesize
632KB

Download
memory/1696-437-0x000000001F6F0000-0x000000001F7A8000-memory.dmp

Filesize
736KB

Download
memory/1984-428-0x000000013F4C0000-0x000000013F5B8000-memory.dmp

Filesize
992KB

Download
memory/1984-431-0x000007FEF4F20000-0x000007FEF5FD0000-memory.dmp

Filesize
16.7MB

Download
memory/1984-430-0x000007FEF5FD0000-0x000007FEF6286000-memory.dmp

Filesize
2.7MB

Download
memory/1984-432-0x000007FEF4AF0000-0x000007FEF4BFE000-memory.dmp

Filesize
1.1MB

Download
memory/1984-429-0x000007FEF83A0000-0x000007FEF83D4000-memory.dmp

Filesize
208KB

Download
memory/2188-3-0x000007FEF6850000-0x000007FEF723C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-1-0x0000000000C70000-0x0000000000CF4000-memory.dmp

Filesize
528KB

Download
memory/2188-0-0x000007FEF6853000-0x000007FEF6854000-memory.dmp

Filesize
4KB

Download
memory/2188-2-0x000007FEF6850000-0x000007FEF723C000-memory.dmp

Filesize
9.9MB

Download
memory/2228-877-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2860-68-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2860-4-0x000000002F811000-0x000000002F812000-memory.dmp

Filesize
4KB

Download
memory/2860-5-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2860-6-0x00000000715CD000-0x00000000715D8000-memory.dmp

Filesize
44KB

Download
memory/2860-26-0x00000000715CD000-0x00000000715D8000-memory.dmp

Filesize
44KB

Download
memory/2860-69-0x00000000715CD000-0x00000000715D8000-memory.dmp

Filesize
44KB

Download