18a00cd89a97dcc6acf7dee058bb1be6459520130baddf959a293503fd0bf8bd

Resubmissions

19-11-2024 02:03

241119-cgvkxayncv 8

19-11-2024 01:54

241119-cbp38szbrn 7

Analysis

max time kernel
2593s
max time network
2281s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download.html
Size

17KB
MD5

2789032074268c0f13b9ccdc8565385b
SHA1

9e69852519790e006b66a70f4d7c84f728545372
SHA256

18a00cd89a97dcc6acf7dee058bb1be6459520130baddf959a293503fd0bf8bd
SHA512

f2710970df7aa31e57864c3ba0d9482fd9a8c10b32251e104ce1e354d3b46b512f045ee36a4efe1e86b1da8d10bad6e3ad87bd838395f5e31530d8b63822d104
SSDEEP

384:32A9vxP29PPGkGd17WNDy0Af0lP/Je7DgNz:3zvZ29PPGkGz7WN7/PKDk

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
476	cleanmgr.exe

Executes dropped EXE 1 IoCs

pid	Process
2916	dismhost.exe

Loads dropped DLL 27 IoCs

pid	Process
476	cleanmgr.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe
2916	dismhost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	cleanmgr.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\setuperr.log	cleanmgr.exe
File opened for modification	C:\Windows\setupact.log	cleanmgr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Targets_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Targets_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Targets_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.Targets	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.Targets\ = "Targets_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Targets_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Targets_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Targets_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
476	cleanmgr.exe
1624	systempropertiesadvanced.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1632	AcroRd32.exe
1632	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1740	1908	chrome.exe	30
PID 1908 wrote to memory of 1740	1908	chrome.exe	30
PID 1908 wrote to memory of 1740	1908	chrome.exe	30
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2744	1908	chrome.exe	32
PID 1908 wrote to memory of 2856	1908	chrome.exe	33
PID 1908 wrote to memory of 2856	1908	chrome.exe	33
PID 1908 wrote to memory of 2856	1908	chrome.exe	33
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34
PID 1908 wrote to memory of 2840	1908	chrome.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\download.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef79c9758,0x7fef79c9768,0x7fef79c9778
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:2
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2224 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:1
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2232 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1396 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:2
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1028 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3700 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3896 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3824 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1824 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3540 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3752 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:1
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3220 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:1
  2⤵
  PID:492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4068 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3928 --field-trial-handle=1272,i,3965264397998408574,8893194876261028593,131072 /prefetch:1
  2⤵
  PID:700

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2788

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:492

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3008

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:788

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:836

C:\Windows\system32\systempropertiesprotection.exe
"C:\Windows\system32\systempropertiesprotection.exe"
1⤵
PID:2416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2536

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3044

C:\Windows\System32\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe" /D C
1⤵
- Deletes itself
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:476
- C:\Users\Admin\AppData\Local\Temp\53C9A926-4831-4D2F-8901-9587C468ACE0\dismhost.exe
  C:\Users\Admin\AppData\Local\Temp\53C9A926-4831-4D2F-8901-9587C468ACE0\dismhost.exe {68E65BEC-C898-4111-8FAC-DD011DA9CB22}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2916

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2436

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1244

C:\Windows\system32\systempropertiesadvanced.exe
"C:\Windows\system32\systempropertiesadvanced.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1624

C:\Windows\system32\systempropertiesadvanced.exe
"C:\Windows\system32\systempropertiesadvanced.exe"
1⤵
PID:1292

C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\themes\Aero\Aero.msstyles?NormalColor?NormalSize
1⤵
PID:2848

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1572

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2932

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2692

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets
1⤵
- Modifies registry class
PID:1120
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\115cd4f7-c1ae-472f-8c1e-f71e1478746e.tmp

Filesize
334KB

MD5
c94c676fe67bc8a89dda10316337a6bd

SHA1
6d4b34173d0e967994a5fe70f0bb19e5af57c481

SHA256
de0de95aad5e6db9d5708e107595b5936772b53947dd656ee8461ed17b57b034

SHA512
baf0c9ec4b795b414e202ba2d2aa768fcc9afdc2131ff442feaf19c9be13f6f6d137ef03d680e80dc4adbaf6ad3f5ed73b0bd41fe11cd2a72c85243d2d608da9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
76KB

MD5
07b41edea8607bef5bc48bc47ed4f3ff

SHA1
cfbcbe9e701491061d69e9b723e479354f5ff25e

SHA256
75569b01ccf6929e9ff3bf483d077f494e947bb7b0ca72cc530f4a4f66e3c37f

SHA512
b9efb9c32d39a3cf00ff1c8bb341aab0b7b115427dfae1e8f73b2b18006552e4639bf5a0d913aa29ae921c49f1397e9b7db51db2c278da190bc1d7b3daaf166a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
34KB

MD5
cd35fe7927cb5e0b48f4eba4280a1ea8

SHA1
6e184228d0ca30b2c2e66933d3ca85108af0aac5

SHA256
c62a45b54360c0529aa9a5acb9a19030bc709c9b680b9ff6a4add597e7bd222b

SHA512
5966c2cf99c5f43bdff515529d4204595bee58baa73721ba416cd44ccb7f192a0b928090f66cbf8259bbf9d43b7d6855a055658bd2a815ff4f8f5d6f51f78819

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
101KB

MD5
8647d7bb0e6f2f0c6ff66249b554284d

SHA1
462207660cb2d748570eff3cd8e89f85df062665

SHA256
6aa9f65420e61feb1a4684dd15aae8f69c0ecb3a0c67d4652a8f4fdc35848839

SHA512
464bdf6d6a78e8f21513c9f306c068fd3e647845fc4311c69727c16dd62c4c2e0f99f4cedcada5d6f410ea517ce2884dcb4c8aec4d5f6ffe4fc4eb1b4417e2b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
84266a1371d4b68fef9afb4963c6286a

SHA1
42dcfa2a17bf1bf8aa25faae53cb7fb6bfbfb171

SHA256
bb55c57fccb82a10ae1a9e7f8078f2399db6def7dd2027061e31f2930816da90

SHA512
ba63922f6d3991cdeaad67e0d6821d7177024ae9710608ca0ea80c6da95e6d52ba17b18261c50ffa32532e4ac0fb966d0e0be4a2960426a2fa7c91077e5b87a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
685B

MD5
286e60eb1cdb8ab41dca03f0b925c861

SHA1
0773b9253d6b6e663dce2c82aeaaea2d3cc8a14e

SHA256
9a0108e93ee815bd1d2916fc713565e96325df01214fc917b0afa77a6d8a6e91

SHA512
5b8ec3a26362418bc0c816b936946601714160c72032eb4b6c97f8534c942abbb9dd17be9984a8023115020e1115fc6213f55474ba19caba5951af1e0c0076d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
846B

MD5
ccf565d95c667cf87cf5b0af86b823df

SHA1
cafacdb4999ad79422bf055e6b3ff8e543f0b71e

SHA256
8d0ff0d7ef0f2bc7ea206369d68d1554b8ea47aaad45da67dafd3f6887b2c7bc

SHA512
ab565277322dc97095106d19e663faca6e890dde5fa5b41772ca70427dba716dbc50c6cb71db6a959c9c21d41137fe974dd5bb60c953ed68d5d2ac263be4b0e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
848B

MD5
ab72babe0a92dcbafd69a0584f3bbe1f

SHA1
7da1c77bbe34ec9b618480d2e9467ec28358c07b

SHA256
a55c23e6e06f82d033d639e9350e4d5ee90884fab852a3521bd7434fd0955017

SHA512
da17217818129cfc12fe82f855661cb322f05d13b6ea4afe421d87e6a109dd82d3ad2d89095121f05e6eaee8c6ccfc0156674698b2dc19cb3f6d4cf437f874bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
791a829d0c2820dcfad454008b24ad74

SHA1
222095b4a5907ae76083134d25c77cecf02b3601

SHA256
dea3be40305dc219b99c69d45d9c10b4499d2cd23e7cebad049e596689ad1074

SHA512
9bb5b3137089254281e59febafce5a307179679fde59e39a1c11f0c8944997bb38304568cfdcaaa83066c475c99727629ecf3ae8586a9180dab67440f5746ce5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5131ddd1e61c7a41e88a698bb731af49

SHA1
cad45c7ea21e0f6c90ee0383cbed9702dd6148e3

SHA256
647bff074aff22655155d980ffec705c55140abc67608e1b6daa8c759a273bb3

SHA512
207f70f455cf721dffee9e20fa7222784d5b2261cc64d8c5959c43e296d6a57080b3add55250f078af732f2cb1793b3a18b5b814280463b4c5aa12ccab56f608

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1d221dcad0d13c1eda585e077bf2671e

SHA1
ac497ac0f8fc43ecbc9f9829b951c6055cc88ec1

SHA256
79678c81e9343acae0afbccf7b091e4330ee1446d40a1b2bc2fda16bbd5c27ca

SHA512
5a2cbb8f611878cfd5e8587c792eef17bcb4ad61c8a112cfe20b666d979a76834107f29d7d2f5e7e91209c9c895e6f810eb2304a633decd37c2c5aabd5d115eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b2d73d642f3e611379a4831ffb98e0e5

SHA1
becc9d644ceeb33db871660c58a990b1670c22e9

SHA256
ff882e912ed5a7d0f089366942414a4e83760c20892e3d44741541db8ddd0a3c

SHA512
4caaac3a85899ab28272d2536269492de039ce3e71f87662803f6d66c06be03f215e0b3c189f18d123365b242ea51f631fd7217d167419a2ebda5f5a9dadce42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
93ce5f15cb7f8c444c46f13b361ab807

SHA1
1911ed348ae17b0fdafecbec4319f94e9596aada

SHA256
03953b82e00776155608b097af2e99eb3c8d0be1f3a2985fb336d811aa83bd68

SHA512
5a5bbf61287b5f14d197313b8a24532b2ca14fb2d712c784f11d23e36f7fb94ad2e3f4bd244b55b07d5a639041399e250ad3976687d201484b6a3c8a74079e6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
334KB

MD5
0fa45983eeadd68f8305197d9113364b

SHA1
8eaea0175f89126b813dac8e345f0479495903df

SHA256
8d861bd4e8e2155363c9acee1a12ef40679d3665371aa57221fc3931a7b3bca9

SHA512
10ea4cf7041fa04aade4a2b48f84539f002ace9ecc44efbdd662a573a0618e20cc073267e8646998c1f4d771ea50c94e568dc37b740d598ea4cb1d82c15d65ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
334KB

MD5
710a676d96d3256a8481d9e2b712cc01

SHA1
40feac2f6a479ac0a17a75c1d57278c4ec31bb98

SHA256
c03c4ec0b44fdc009e6fd2c243d13832e8d924cf8c2f3ca2b90bd5137cb28379

SHA512
18bf92682c5400760b49c8f2d69a8e3e2e84b8f1de7c8308d49f04901bf8280416062db9bbdc056bc55b8fbabe7f5ae5d88f0889b3aeba42e9a9165c2dcb5e49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
334KB

MD5
1532e17539eb227988384ab10eed5b19

SHA1
91ec19a18709438cab653db0c7b0f72935a59739

SHA256
4051b4363e765895ff8b69f07159d3e7f29ee0d9e2f6de45441a87b29ce9e23a

SHA512
1f958757faffc7ccfa52715891969cc844e0bbf236114ee469ae1b6d3946249eb110d61d93b2477d5fa5fd953cec111a5c7e15221a123eadd849d7407d9e9300

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
334KB

MD5
3e4e530ca5ffcae9f93faf3895098cfd

SHA1
c9505731d4b86ac90a5281c100101c6bc81ffcce

SHA256
534053145b9e21c12425c5f2898b52ba2469acdd844cf4177edee79d5648b479

SHA512
3e161955b6d16b5c93ccf3f0602d00e4d33a7d558021178200602148ed58260c00684f053790c9499594d9f0faa17aa041f4b74482c3f96cdd0a4187932876f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\53C9A926-4831-4D2F-8901-9587C468ACE0\CbsProvider.dll

Filesize
744KB

MD5
efcb002abc3529d71b61e6fb6434566c

SHA1
a25aca0fc9a1139f44329b28dc13c526965d311f

SHA256
b641d944428f5b8ffb2fefd4da31c6a15ba84d01130f2712d7b1e71c518805bd

SHA512
10ee2b20f031ca5a131a9590599f13d3f0029352376705a2d7d2134fcd6535a3b54356d1b4d0b3fb53ac5ca4f034f9afb129a4f601159938680197ea39ea0687

Download Submit
C:\Users\Admin\AppData\Local\Temp\53C9A926-4831-4D2F-8901-9587C468ACE0\DismCorePS.dll

Filesize
109KB

MD5
5488e381238ff19687fdd7ab2f44cfcc

SHA1
b90fa27ef6a7fc6d543ba33d5c934180e17297d3

SHA256
abaada27d682b0d7270827c0271ac04505800b11d04b764562e4baa2cbc306a0

SHA512
933e99749c68b3e9fe290fe4a1d8c90732ba13092d8cd9cac64f8e6583c8dcfbf25a4bea122966bc5d7d92e3a21210365a03b52274d25d704de52631e1fb0412

Download Submit
C:\Users\Admin\AppData\Local\Temp\53C9A926-4831-4D2F-8901-9587C468ACE0\wdscore.dll

Filesize
265KB

MD5
7b38d7916a7cd058c16a0a6ca5077901

SHA1
f79d955a6eac2f0368c79f7ba8061e9c58ba99b2

SHA256
3f6dd990e2da5d3bd6d65a72cbfb0fe79eb30b118a8ad71b6c9bb5581a622dce

SHA512
2d22fe535f464f635d42e5b016741b9caf173da372e4563a565fa1e294581f44330c61e08edfe4c08a341ebd708e2ad08614161c0ee54e8dea99452b87d1e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab459A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar45EB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\ClearUndo.docx

Filesize
19KB

MD5
a7d2336669afda2f0da4e62ff73a8ef5

SHA1
5f955ded0ab9ce72649dbd564f683b8da489c0da

SHA256
7558123968a3ae6b1bebde51a793960594a437f4ed7da1d632dd62e0d4abce3a

SHA512
9635bc5576f1d7bc22aec13cf20cd7c07d79c7c38d508ad6414a967f389daa92e2ef52e604a2d01ec07c286f725b0cfcf0390efadf78bfc9b8e25476c6d45d20

Download Submit
C:\Users\Admin\Desktop\CloseRename.mov

Filesize
318KB

MD5
57399389a50641df6c91bbb672df2e8a

SHA1
35bf8b39823a1e6b8e0755afe5a211e9d77e1f36

SHA256
e1aba4fa3613d12ce7b805182cc9f25e532eabe6aa7163c2740b505d4eda3f5e

SHA512
f51d6e14a64b8d219c3b17a60760c7e53c551454e3af80d64005e77b7a51da82249c092958434b118c51f4020235d80b98697c39b7b9e9b206408ef749b403d4

Download Submit
C:\Users\Admin\Desktop\CompressInstall.vsdx

Filesize
218KB

MD5
dd5de5479a1951413f28f1ab0e621f3f

SHA1
70d4cfb3976da089acdb18069a6ee14417cbf907

SHA256
a8f08cfcc7f24b0a161db2f80f6e2d9ae5d58774587acdf8167142c66b4c2413

SHA512
d65eecbb19f9d77cffcd1e7474e7f0b2da72a44f5345454c2cc48ea1dec554994d28e363cc9bf991a29c7ad773a5695b7f17b3f375b4b1a2d2fe477975102c99

Download Submit
C:\Users\Admin\Desktop\ConfirmEdit.xlsx

Filesize
11KB

MD5
5bcd45e63d6cc6ccf55f4f4655468487

SHA1
1a0325b8dd79dfdf8e93c33bf3d5824676f79636

SHA256
ed0925c2216493bf66aec198a6a84fcd92d515032138ac4d1374e54965f1cc04

SHA512
e1f12b3bf467a160c950c79ff4e1f7b87db97b59e789bf175ca5318c3bec00cee791f81ec758edbb8311d50e5868fabe6e5ff68e043cf2da55c0f952087df88f

Download Submit
C:\Users\Admin\Desktop\ConnectPush.ppt

Filesize
290KB

MD5
bbbe3e6785cce9ba6ed4d7232ce99c54

SHA1
387c1d79588dfcb457582b1f0ce0aa6a2b74b766

SHA256
125cfbc2b18911940e39f2a1d5d08beb69e484fb0c28962dfda4dac2330f1684

SHA512
f0266a17a2a56f9d93bdad4de3ed04d7e58a81baa2e39d6c5fd16b3ed0a5dfa36d210cf7b01d9b0f3de90c9ae78ff0fe7faa4e8976951c0aa686821f7de71ea4

Download Submit
C:\Users\Admin\Desktop\ConvertFromRegister.wmf

Filesize
190KB

MD5
43e346df377413f38a66066a062dc136

SHA1
7a181da03c0cc412ae1f8c9fce88e54e069b5e17

SHA256
793bcd0dc87c0431ee83cde49c6b77831d10d3fbbe32beeb5b8df43d86e779a0

SHA512
ecab5702b64200889bac4e55604d70d9902d71cf8269861a54d065503817d03eeea934bab6603e1a7c1065d08f006c76d4ef07bebca45826eef3a777c368fe80

Download Submit
C:\Users\Admin\Desktop\CopyEnter.xlsx

Filesize
10KB

MD5
b55e84da63e2a0bcd200bf06eb4eae6c

SHA1
26c117cf37a1948d7f77acd2de0637933fa5e18a

SHA256
01092d58e1bff3d6dfcb96885555240f2999fa7d966678d3e9da0effbab9652d

SHA512
237303ba20294d94e4b4788ba76322360cf1184b1b4874c1b534288d4efab473271685490d9124cc89380fdc5e61c28af929ef0623b447c3fd0599ef320442fb

Download Submit
C:\Users\Admin\Desktop\EditRestart.mhtml

Filesize
263KB

MD5
38a45b9f062f75a3e6a6b64e34583171

SHA1
5ba4b312d5b8f154158fe8371802e24a94724511

SHA256
6d5260e3f0fd32cc24547d383f9e234d83ce429f4a49892edaee6e903468a0b0

SHA512
c8e668229ba5266228ea94fafc04e1a479ad752168c58172abb6ff7c55e80e5349785aeeceeb735236f34a6f167bb86f1f580c97da66c723d8045c7ebf8703ec

Download Submit
C:\Users\Admin\Desktop\InitializeRegister.emf

Filesize
245KB

MD5
93eb6a97b9ad7f0d37a3ded1c2908c5c

SHA1
9c6b44c220b92383b2f21e9913c8f829ad69e75a

SHA256
9934b393d4379898b54ac856899c5ae03f67e40e7d53a23114c14ac7c5923fae

SHA512
7344651ac187d216c736f726ec5b8eaf63900a2d1a72cc25dcfc0eed15001fc3053b02d2bb5eec0fdfc785e57344b68b9b7e0e92b8f0309980c794b1d4d84d4a

Download Submit
C:\Users\Admin\Desktop\InstallInvoke.wav

Filesize
236KB

MD5
33885520e9055f469c1379facded0846

SHA1
ea7555fc8b10fc59fa3e42d29cbc681fe74bd8e0

SHA256
b0e9cd8039647370b6a51b7c6b7625cb0ff613bb4456446bc9626eabcb271d63

SHA512
9541808169823222ed3c45bfc848c7b566399d028577d6a40e452ddf76545f7d02c58c40ec28823700b34e76bbf418d31c75a4a01448dc9b8c37232e3c46aad4

Download Submit
C:\Users\Admin\Desktop\InstallUnblock.pps

Filesize
281KB

MD5
971c5276c4128db37ed6ba3ed79555ca

SHA1
83de99eecf8d300be78c357ec40adbcd7161be78

SHA256
48f4ece4d844bfcc51df91dbc2febca28ccc2bf0d2cf092dec98880cac74cea9

SHA512
a57f9c0285d343e5612874f66388514686cb785c77bbe5f2d8b58ac1505c6b40458ef463fd8d2ea4eadde06e1e9ebfe90c107cf076e9ca09ad79c54ec32320a3

Download Submit
C:\Users\Admin\Desktop\InvokeUnblock.ex_

Filesize
254KB

MD5
bf6e43532d0f15ff62d9e60242620c8d

SHA1
dd27541006f877f2c59521d4240ea022b0f648bc

SHA256
66784713180e619ae24dc6c2a75e250aed9a280cfd36064846aafa7c53140d37

SHA512
94c2996f3f321803e959253efeed3acac8d5f353819ae506da6009e8129075b9304276e60b2ed059e77d9f5ee140db9e697ad6688fb7f476e4bfdede84de3b70

Download Submit
C:\Users\Admin\Desktop\LimitEnable.vdx

Filesize
199KB

MD5
4014c4452518650a76e8e534146050db

SHA1
c3da4afbf7b92670a763b9a2efb6d48a66c6e105

SHA256
e7db4d57a51d5081a1d38d2e8bf98e036a4b523e0d61b53ee19d3c7b039ae63c

SHA512
508711a25ee3ac03b9fec6a38ffbcab521540ac676b09efc95cee20f91a3565f795f9a986a9656c8f1c489af2d4f6876169b3a65bdd81935ed7bab6aade19534

Download Submit
C:\Users\Admin\Desktop\LockFind.jpg

Filesize
299KB

MD5
6452c6e4e264efbfe449fade25875bd0

SHA1
540908404015160e33459f82b4411fe7d76adfe2

SHA256
cbe569733e62254e3f6b75593d2dd2a7a4adeaf65dfb3ab0234cd617152781d9

SHA512
7f1941060f8edb1da8fff0673fbf51376f3d0880fcad61775762344d114a5e70c9489f095bfc9a393be785b7f203aaea83c8cddb440567d97f8c66cbef80e6d4

Download Submit
C:\Users\Admin\Desktop\MeasureSave.csv

Filesize
209KB

MD5
92fe6cba64b8a82d3fdf537b390d4789

SHA1
080462e4586f3203ef1f9fcafe81bddf18ab9ab0

SHA256
8b59b30369036f758d961cbfb9d7e6e7eb9378764457b700b698c05dc5b7fc7a

SHA512
d83ff2e11969d97ff65fd732af59b932593664de0ebe5a9852933cfe0434d3e0a42a252df30f5956568171a49ad07008eef980a269f875431584c47d42adb2fc

Download Submit
C:\Users\Admin\Desktop\ReceiveRepair.ttc

Filesize
309KB

MD5
67a77e775377aea3c674b9972ccd7a79

SHA1
96a31d38f0bb1e1af4c3242d02d987dd7d32ecf5

SHA256
3d2b6c7ef39c14650ee78fc823f552065fc064aadc123b0395d93e1797bc80ec

SHA512
1c60b644ccc7da917a8d51e9bae494c11bf630764b59aef0e4f1b8191e88449e59227e71d944ba4259ca4ba1560e7e4a3977c4695399bb02f908b165fc4819ff

Download Submit
C:\Users\Admin\Desktop\RegisterWatch.docx

Filesize
20KB

MD5
d77fe513b4bc51bafca5d3e68f1fbfaa

SHA1
12736eb47d3005b24924b79bfcbc80e728f3b49e

SHA256
311268c2c31060c9afaa5327fef61577a6c06d5be06f14fc32717abd7a410c58

SHA512
12747c97e3aac1ff1b4d9e80e5f4813e94ef8ca1aa5d0f004cd94ae7edda62100e2a7bd9f6f134a7ba2fe365c3579932c5f2e7c201ec3627aae6fd530e162f43

Download Submit
C:\Users\Admin\Desktop\RenameUnpublish.pptx

Filesize
181KB

MD5
93d9a97df60d37f68f9346b80dd271fa

SHA1
9c63da06cb5ab88596c0a78d8d5fb33eaa01d47e

SHA256
f3b01bf14dfc9e1fda6f94777903a447426d74f4a1e6dd1071612397e2f37eeb

SHA512
aa6703762a3ff2e7afe98005f71243e22ab1f493e83688f1e86187e9e72dfb415e13aeb6d81bf3a9724bee06453fd955135e7ac795b32093d777b44ee9dba9fb

Download Submit
C:\Users\Admin\Desktop\ResolveCompress.wvx

Filesize
227KB

MD5
d9f5e264c7a9c0f26e2e3ac344dc5604

SHA1
5caff0021989889ace57bf482b34f8137b934b29

SHA256
24a7accb08d7e119b798db0e50116d3dc51720dee3aeb1471f777434364e1e01

SHA512
ae9c357c1d92cc0a76d2c11b2f90dafe83c7d0296f4854b95f2bf10238983319b5b5938b0b58dce994a7e8203307da4d27d93cf9b43828deb6b452c1bc00e092

Download Submit
C:\Users\Admin\Desktop\ResolveMove.php

Filesize
463KB

MD5
2556d247850a6b68c519351dbe173918

SHA1
eef0b090a57ec3ec6a8fb0d95fa0de98061b8051

SHA256
22f42614be129061c26c9c834b0d5c61f2b7af676ef474a8c3c4c7ea407687db

SHA512
fa8581f845c670515a261eba6e24b8e3acf4003e8096fdb1c6c273191fba56992dbf6495d45d429194e9a7b40d43cb2d24e2b05c9659a774f27d0789698c18d1

Download Submit
C:\Users\Admin\Desktop\ResolveRestart.hta

Filesize
145KB

MD5
070b15b5fb818ddb48191e578c0d5d26

SHA1
049d2aa721000a3c6688ec16f3b040b8c047cde6

SHA256
72edd7f6c69c9c54a6f8571647ed16df36d1f26d53fa362d88be0772a8cd3d65

SHA512
1f64730b1c677313c21b20d380ecc98a1b05892be270d56feba813fd63da74a328206c263032988673ddc4825dc3bcc00cdac69c2aa8cd9a798568d6b6e1bca5

Download Submit
C:\Users\Admin\Desktop\RestoreMount.tiff

Filesize
136KB

MD5
a867f54ba63dd535e1e869a8a849b0ba

SHA1
c62d41b5488b3ad46eaf07331afe26557cd16e96

SHA256
c564f9658209abf18bc92f978bc67aa72b618b9273ffd6adcfbed0ae89d37487

SHA512
07119c0afaa813f2cc0fdf552eab6ccc47f0959480d7dd111df165f556354f3ebf8cf72d7746d8da12f52e04db48fb5ba5ced4350cd43db0d7a4c8baa89cdd1c

Download Submit
C:\Users\Admin\Desktop\SearchWrite.i64

Filesize
327KB

MD5
b0b19f3b8605a791367470f3737b2401

SHA1
01f77b31b95b3e55207d33bf9f546910bbbc844e

SHA256
c7dc1128b872c5c2eeecb75287c86b499edb88f9fe4c25747d3f71e13ca65955

SHA512
aa73e48b547375280dcbcd4046a722170535fb5f2480f616e3b42bc0811545f6b7a9b2fb29bcd4205ddfc1eb2c5f59d5beb70861a2df07375b8455f03bc4b374

Download Submit
C:\Users\Admin\Desktop\SendBackup.ppt

Filesize
127KB

MD5
57bbd11c304bbb9250b79508ba4358ff

SHA1
b9ad7698a48fb190138d75e4bbaa0f44b285f074

SHA256
6b1be90084e1d4e056cad70aab171ea690ecc20845e2bdbe47aa39f380dfcb82

SHA512
64002d6b89b7cc3b4f31c4c1881ead4ecaecf71dc1cf2d218b12796c94495e326d03e002ab90e36a90ce38dc59e4463c581cb8d27b9da0cf2340de69bd28de5e

Download Submit
C:\Users\Admin\Desktop\StartSkip.M2T

Filesize
336KB

MD5
4b35354c1e95edacc905f3a60980c84b

SHA1
91b53134fa44650ca3057dbae29d0b4e87cab9c8

SHA256
b0377c1cdc02e41e3e2e4256d541e53d411fb55dc1f8f04766bec37c9565c204

SHA512
3717b347d08c0de2b8adfaa9c2f3322eb3f8e2c1fcd7b715f3fdf940cdac3c5f19393d1fe286242a130b3334ee8a1190189e9fa02f37404f2b4da40c6366912e

Download Submit
C:\Users\Admin\Desktop\StopRename.docx

Filesize
15KB

MD5
1c3432a415f88c461f22aea08c56d259

SHA1
c066950ce8b4e5caff172ef3c1062ab9c58a6254

SHA256
30898b5a145df9f066363f1928e993a6e272d09170a8e327300a6a11c6c6cb8a

SHA512
43083a8dd5dc6dbde8c4ea788b95ca549896f4548897135b514a18e51969f1a6d9c594222c3c24bdaf20eab5e83dcb75e42c43290e11241aff9b08fb513f4f9d

Download Submit
C:\Users\Admin\Desktop\TraceRequest.mpa

Filesize
172KB

MD5
12fc7168e0c00d82277c4116753c9eae

SHA1
e403aaa0df47ad81001ab31e13673669ee257aee

SHA256
77e6c62c79c980f793be680e8c184a412fd627508e0033daaea49b26f6df64f1

SHA512
0afa9e111568d2dbddaa43751ab2679fbb55c4e9d6b9b6915ab6a94e85424f0fedff07b48d0a9e3c7dcba80d741225984e5348380779cb50ca8c14a96fdc39b0

Download Submit
C:\Users\Admin\Desktop\UnblockShow.dotm

Filesize
163KB

MD5
1196c6791ea4de09ea35b849b237ee38

SHA1
7978f0474ea3f91097b6214f71a053b08de22629

SHA256
6b0b5e3e18b813b048989dd2116a04b11b01a025c63ce17028031c02521a4c24

SHA512
a2be784ccd9b28033239606777e5559ec87a70c8cdc1990f792786ba1e8070958021a2eec5e649b1430348080027114b2f9480f3e4a3373acf8fddcb08d4e9ac

Download Submit
C:\Users\Admin\Desktop\UnregisterUse.jpeg

Filesize
118KB

MD5
fba005226d3fde7d54e242e3b02d2b2a

SHA1
880418ab0095583619418ebe0bf28110ffd1d682

SHA256
27c45081d82e02c20e3884a26772b90a69df98d65987c1a15efda053c961eaa3

SHA512
797bcdb4ea26840ab8a196c2d3999c147a33ccd82899b6611b7de737b8d8db9a97ff74138b5f19f30c8423716c1a56fb7428e9821472acc1067226b1f28c7ba8

Download Submit
C:\Users\Admin\Desktop\UpdateTest.kix

Filesize
272KB

MD5
bbfb3061245ebbce19e829654fb25e80

SHA1
e077127382d369bb36d1fd4443a47c2b7bf33d8d

SHA256
63c6a17353d13346711a84238375ffa4934e6766ac568b2d0ce5cde35dc814da

SHA512
edc4eedf1fb13a6b1573896e97df92a9a534cd50436db23ba23c926d1da569594cdd9addcf68102635273a39715fe68965f1df29964780ffcaeb023dd0f05846

Download Submit
C:\Users\Admin\Desktop\WriteImport.wmx

Filesize
154KB

MD5
3072e7ab1b9a0b63fed97342dfa00a04

SHA1
0d4c397540dbf379051871cb94839f9a4e194cb8

SHA256
67942bc8f56879f7371373c2c2b7df250b8f0d0f73246bf30dcd60185942e694

SHA512
d9206cf1b9217d04b40ee66ccf698071edd015617ea2c45ad4e94ed13cd2c1a347a07eae9d8c3d5ad1ae9e1e2207221a1eb40971c78411263a26c040073961c5

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
151KB

MD5
882dbfd453d23e33d1db9d08b12bcd40

SHA1
20a63b9742336ffc772a84070d4b7249b33ea5c6

SHA256
cdfab0ece78312ab8c5f6985ffd1b1ab448ec0b2874382b9e6459d8b8f754907

SHA512
a7568c29fb1fff3edfe95397c8b68097c44184f73de5025c48772fe511c81a2be5b4991f6f64455e3ebb437d5a971575e78fe2116e2d899b0db9696032f4a1d1

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
160KB

MD5
0d095679599878b9ff3ef0db74b4cd79

SHA1
1b69d3c8a644c381b3bdc9b0ace24cf7c49be39a

SHA256
93a0a54db2a87baf82dd9cf4f3f1bf7662366f2eccd68bc86f7f052493a70cc2

SHA512
fd2305d0743a1e75963ef405036c78cacc99fc1e7e7085c69bd6919a03af6de37e520947c9f1cdb24f4e7e3410ec775ccd6d5f7c417d57e5e3f9187b65a61f19

Download Submit
\Users\Admin\AppData\Local\Temp\53C9A926-4831-4D2F-8901-9587C468ACE0\DismHost.exe

Filesize
94KB

MD5
9a821d8d62f4c60232b856e98cba7e4f

SHA1
4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5

SHA256
a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525

SHA512
1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3

Download Submit
\Users\Admin\AppData\Local\Temp\53C9A926-4831-4D2F-8901-9587C468ACE0\DismProv.dll

Filesize
182KB

MD5
8ca117cb9338c0351236939717cb7084

SHA1
baa145810d50fdb204c8482fda5cacaaf58cdad0

SHA256
f351c3597c98ea9fe5271024fc2ccf895cc6a247fb3b02c1cdb68891dac29e54

SHA512
35b4be68666d22f82d949ad9f0ce986779355e7d2d8fd99c0e2102cd364aba4a95b5805269261a9205c1130bdd1f5101d16146d9334c27796c7f41f2c3166c35

Download Submit
\Users\Admin\AppData\Local\Temp\53C9A926-4831-4D2F-8901-9587C468ACE0\LogProvider.dll

Filesize
104KB

MD5
62de64dc805fd98af3ada9d93209f6a9

SHA1
392ba504973d626aaf5c5b41b184670c58ec65a7

SHA256
83c0f61cc8fc01c789c07dd25f58862e0710088e6887716b1be9ee9f149adefc

SHA512
7db48f240df566be9a4b836807f97e8169d58edfa699de69be35b3977e442da3fea4f8b38d359d50f4d5afcf8547c8f66329e5ec855efbc5402ce88458d67e28

Download Submit
\Users\Admin\AppData\Local\Temp\53C9A926-4831-4D2F-8901-9587C468ACE0\OSProvider.dll

Filesize
124KB

MD5
e7caed467f80b29f4e63ba493614dbb1

SHA1
65a159bcdb68c7514e4f5b65413678c673d2d0c9

SHA256
2c325e2647eb622983948cc26c509c832e1094639bb7af0fb712583947ad019c

SHA512
34952d8a619eb46d8b7ec6463e1e99f1c641ce61c471997dd959911ae21d64e688d9aa8a78405faa49a652675caf40d8e9e5a07de30257f26da4c65f04e2181e

Download Submit