hxxps://drive[.]google[.]com/file/d/11w4DvSBfEF35-wo8zMPGY_00pj-Av-10/view?usp=drivesdk

Resubmissions

21-11-2024 14:16

241121-rldwaaxlap 10

21-11-2024 14:15

241121-rknzvstbmk 6

Analysis

max time kernel
311s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/11w4DvSBfEF35-wo8zMPGY_00pj-Av-10/view?usp=drivesdk

Score

10^/10

defense_evasion discovery

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
juye mmds bjab mjcm

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\folder_for_files\desktop.ini	RLWhat.exe
File created	C:\Users\Admin\folder_for_files\desktop.ini	RLWhat.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
10	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5652	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 6 IoCs

pid	Process
4212	WINWORD.EXE
4212	WINWORD.EXE
4356	EXCEL.EXE
5180	WINWORD.EXE
5180	WINWORD.EXE
4940	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
740	msedge.exe
740	msedge.exe
4836	identity_helper.exe
4836	identity_helper.exe
1100	msedge.exe
1100	msedge.exe
5652	msedge.exe
5652	msedge.exe
5652	msedge.exe
5652	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
4356	EXCEL.EXE
4356	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe

Suspicious use of SetWindowsHookEx 40 IoCs

pid	Process
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
5180	WINWORD.EXE
5180	WINWORD.EXE
5180	WINWORD.EXE
5180	WINWORD.EXE
5180	WINWORD.EXE
5180	WINWORD.EXE
5180	WINWORD.EXE
5180	WINWORD.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 5052	740	msedge.exe	85
PID 740 wrote to memory of 5052	740	msedge.exe	85
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 4720	740	msedge.exe	86
PID 740 wrote to memory of 5080	740	msedge.exe	87
PID 740 wrote to memory of 5080	740	msedge.exe	87
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88
PID 740 wrote to memory of 4532	740	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/11w4DvSBfEF35-wo8zMPGY_00pj-Av-10/view?usp=drivesdk
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa989a46f8,0x7ffa989a4708,0x7ffa989a4718
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:608
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4868 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14545009579297291822,2135090218313872985,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5384

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_RLWhat.zip\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5652

C:\Users\Admin\Downloads\RLWhat\RLWhat.exe
"C:\Users\Admin\Downloads\RLWhat\RLWhat.exe"
1⤵
- Drops desktop.ini file(s)
PID:6120
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c md C:\Users\Admin\folder_for_files
  2⤵
  PID:4340
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c del C:\Users\Admin\test.zip
  2⤵
  PID:2132
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c rd /S /Q %USERPROFILE%\folder_for_files
  2⤵
  PID:1668

C:\Users\Admin\Downloads\RLWhat\RLWhat.exe
"C:\Users\Admin\Downloads\RLWhat\RLWhat.exe"
1⤵
- Drops desktop.ini file(s)
PID:992
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c md C:\Users\Admin\folder_for_files
  2⤵
  PID:4340
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c del C:\Users\Admin\test.zip
  2⤵
  PID:3888
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c rd /S /Q %USERPROFILE%\folder_for_files
  2⤵
  PID:5608

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\UnblockReceive.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4212

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\SaveRestore.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4356

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\WritePush.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5180

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\StartComplete.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\8a3bfb36-afbd-4482-8b02-c4328b5f74ae.tmp

Filesize
10KB

MD5
39af403dd653dcc72be99e33afae8f48

SHA1
35785df9851d4dba0f6fb38775cd5a8f6c43bf34

SHA256
742d9733fc6c7b879b0915f5d7d0bdd562ec8911d233497d5ca9eb4b6dac5bd2

SHA512
c49b73c728825ec6d2873ad509e4fab28b7d00514a5b1b9935992d5aec6ee9184514af02f33223c0b96960cb1c11008236aaf67ad6100e4bd32fecdaf4a7e9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
c24fb8d4f88b1b32c83ccea8a5a0c81d

SHA1
aba1275bdb71dabbc302092cb4dc36e941736128

SHA256
06d18e693d1d845bab215af769f7d61c1996bdd0eb65c8d8b455ad0546c4ac28

SHA512
13f4915e4a540e80a0b3ab6441a3d044a3d56b407b5ccc1e18799659a24548516f42119b89c58dba086319e0fa90bf949838f73ae03ba181108be9b8c03a8c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
22fea12cadb941576376676a67c6a369

SHA1
7f6ea02ae5ab43c1bea115865b80f46cc111e9df

SHA256
a04baae3a414b023c3de1537fd572bde172f7bb7fefa1ad3e322dde19799fc44

SHA512
70f1e4dcb071bc79dffa80591b9b1e7673af9453f0d64e5166c309b201c5ca215441909e0073931eda1b9bf5fd42a4112ae72352d10180090739b89b16b0b8c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
206a70afaf15f669bc69000008873a96

SHA1
b3295462352108d96dfc697c5e29c518dea853ae

SHA256
bccf61013ecba2e4e5792a97049e9648921c45c6d053517de223991410e0038f

SHA512
5db790229334857b7b7d09a77172ba6e7491e6184648223ce290aaa89b15d4dffbf86faed68c84082fec46d0503b23a46323cff70de184e92bfff3b6f5f877eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fa9f3c02d24bbcc8d75e5622ad484347

SHA1
2e505c332ff92e427ad1ae32fbd57534a6acbdf3

SHA256
5b8497e72687f0570a06c4c9b20f650170ef2947a8496afae2b5d6c6c8558926

SHA512
4345c6a094854949f18b1415c6cbe71589e214ee4388fd25074aa2dc622b19ce99ffffbf8fb0a03aeb0235528a83bca55db122bbc547a98fbcb09aeb79bd4d72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
e6391c2b6da2f904950e5a70b65e48ca

SHA1
e2e454d8f2929c0ef295512c9b564e47b877b7e6

SHA256
8c90e0ee1acd14ae24b678bf7d25a50c64e953e57f74c5e0bbd74d14ef385086

SHA512
157bfbdae20e34b23f4a2b8ef6668a89ff3a47c3a9a1c7cb650b906e6d9e62f4bf8ae69c6d6b9d13d3455f69f01a2c3f756b4f0f34c6738e2fc2dccedc386946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bd83635639961303c5dcd5e3cf98104f

SHA1
cf9952441d12fd981cd4574c1362f4b1873c8b01

SHA256
626704ddd47f4fec671ac259b2ea2226f3908c434ec3ae3dd7f1c87fbe410cca

SHA512
3c3e1be8365a0b706baed34b2a397f56d41cf1580b0be6bac39d95fb2291013685be210039b8eb7de1c5deedc62e19a9f8e408188cd1ea7781d03c0ed319c36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9251624480369fd76bd3f3a455be260b

SHA1
f0ee9ae1ab2f8ebb875a84a64be9a9f3de0c63ad

SHA256
7b2ac57fd91b16a6ce191739e38d692053a7994e51ec7979a49e207d935e0b35

SHA512
47079a585065f9b89d8a794e1f22aec6e1cc5a82946441b86d32cd240d97b76b119b6216a8f0c582d2b7b086e09ef64f3f288d34d28b96c087ed79000194ea3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51e40c669eb2722d370b52233385fc81

SHA1
774754c32a52e0ccb959de3d8a9885f5b90d9d24

SHA256
459d416bd92af0481242c90370d25ff5bbb3ca1209ad3cf36fea31924725566d

SHA512
14b4f05e7ef8a85dfcc863e443f764853d61249d20e8f3b28130a802d91ebed68cb2c30b88e0410dcc01a79c6c3cb62219682a45869dccfc0c35db2b57636535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
995d39f6b72578d0d36d88ce968eca02

SHA1
b6af0a7d28e8876fbbffe014bbf9d872d9f08917

SHA256
63b7086e2f9e834133943149e83f2f44a5ebe8331cdc33cf02345002c0056d55

SHA512
f21900e26704c2be8e0ebbaae081619bb22686945b0258fbb3add5e34b53073edcfca6bce34fe6cf1b411dee43420e75fb3afb225c0d54612ad74374e929fad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
23c11853a330c37ea6682dbd7a517210

SHA1
f0cfaace32f007748e2655eec70a1328389a8942

SHA256
5e0f263fc62122bc48020ab932a0c17c76e25332a308df61de274469c2b42ecc

SHA512
6081e4d5e524304770f32f98c413644724189cd1875d722e1cf34f39eac057c058c248596c8372db14a0c9fffbff8586a934d06d33df7445fcfaffadeb363d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e5d0b0ce7201a01e50ed6d96b5a1e0ee

SHA1
10c05e6c42c47a584a35458fa8c7f4d03b3d029c

SHA256
2901d152fea79ba0f94c83cae072440633ec68019220a2a5f02fc5ce8dcd7597

SHA512
7e5acb6d13497010197117346f471c0540f870440da5372ee4b70711601f65ae2e2eea897bb671f0dad48e9da4946204ddc505670a42c304dd48cfb36ab83016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
331B

MD5
41f012ab90593b147b094b9627274b03

SHA1
10d39571d412279c93b214644b2bfcd24a090bba

SHA256
9a1cf8d881961f311967c5afe2ff86bc65322235d203b5911a37b3f1f8ea6e12

SHA512
43c3f9382241a0e2d77ed0e6af776c7bae837a60e1dff6bd2aff8df8a02e7ff3d7f13464b7b8edffb506600f1e95ba50a12626f16458c5e5305b1e808012b22b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
332B

MD5
f20591f21c1bf104690834b2dc003d12

SHA1
6c9345784af27d8d9e859ae33ee5f03d60c716db

SHA256
80a31e34789f15f46579daf57ba1ef4cd00679416cc15202e516bd77fd541655

SHA512
a74f4524137fc5f4acedb5c3f66dd1fce6182f96598af3e51842f404f81bd91ecafdf3852c65b7def40c3f8c1f52461614bfd22b4f58f8c2503effdf2662db79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
332B

MD5
ba5f7c77e620df55d9dc1484b4dad4b6

SHA1
3e4e4f3fb4ecbd5ff0c67eaa68b5bc9977198995

SHA256
9443dd0ffec1d7f90402d6e9b870b51a1b25f1b2acffd791828230776945982f

SHA512
dc5524a53dfa49b4e42a83795033714cb01f5887e3a75e1b58cd3592ff9a8a2ce382c100a5db5ffed58beaabefa0560db90898a360ad175d5c8db0fc59dabfda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
f2b0228985b754215ba46493320edb39

SHA1
359ed5d931d1c7bc0c41a240b521876c65c7ef3d

SHA256
1a75c336c7427f9e81e2c1d58bc08f9a8866facb1685b9f2323ed74afa29106a

SHA512
59b8cc0eeade9740117e1ab25fdae749c63e6a3d5ff897283323495999f6b8a81e9f022e7a402bb9223f99eb5fa76dc6167fd434632bbc18906d3ff9723b2727

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 483807.crdownload

Filesize
574KB

MD5
6e03b896da73347ca559137946796444

SHA1
e7173a571faa0e9ab7a9a73563a7e89993acd1a1

SHA256
7283cde4db4318707308270e379e48e05e7750e5c60da8c0645197550794e0cd

SHA512
477469b9cca598472a8a2ef7973f860099dcf2a938a7965383b0e0f087b1750ad250bf5ecef90d49f01456af110367c07f5ab0f12e23a0d7bfef5fc8f34a82b4

Download Submit
C:\Users\Admin\folder_for_files\ADDCON~1.GIF

Filesize
546KB

MD5
3a3a55cf73c9e60c1c7a0dad7573cbc9

SHA1
f161d99a8649c4072cdd5bb7c6b690cff5391d23

SHA256
2e538ac8dfdd7dcf577a48e2b38570ba444d8cfbe7ee19a4f97260ccdca919bf

SHA512
a86c73616aa361295b918f80f05daf43a3abbce49ed1803701feebbb3dd800d8ae7102de371e976fba2e1701b6cff62cf5f87153c6d983d8db2bd28e2ff74f2d

Download Submit
C:\Users\Admin\folder_for_files\BACKUP~1.PNG

Filesize
516KB

MD5
066410a4009d22e556477bb1a21b4088

SHA1
c1e8ea4fae50ccbf797f5bf95cd345f5f8adf646

SHA256
1b9c48183e5f1637997c3cc8bf8c12441bf7e5360d60e8f85f2aea8391c0c6ce

SHA512
e4a51b24cc1ca7998846f1aa2d593e8601597ca5f86f58228797d27da858a3f1d337437b3cd12ecb9cc4de51ba0ad9723c254725af5429bde4f10e48af99edb7

Download Submit
C:\Users\Admin\folder_for_files\COMPRE~1.MP3

Filesize
407KB

MD5
b09bb6f64ff17960e397256fcbd64a6e

SHA1
fe86a1351c9a177f350622ba1116658939254aa2

SHA256
8b3f9500161e3453ed04bb6f26967b7452774a2113117f4d67b5328603dfa276

SHA512
6fe506525dff7dd310731aa49ab890f902737b97f16bab93bef9ae16f2f7df9067e218db8d13aa321c695bd6000fd8b57bf4ac852d7231897d440df9e4db655d

Download Submit
C:\Users\Admin\folder_for_files\CONVER~1.AIF

Filesize
277KB

MD5
428f80aa8c493ce88ea9bada80a156f9

SHA1
bea03af63957ec75e3462e0f2e5bb0d7bed9fa7e

SHA256
4c71b15082c79b782f3ee5bba1fd62c784983341b6a2c729f4eabe3a7c4b946d

SHA512
9bb2bec7d4b4492eb237d736d23f48f8deb10e082481e514b6f6c45e34905818f43acac0ba8434e0d978a551cf44a6d87a6cbfeb8bd340d6e65b5a28735f1353

Download Submit
C:\Users\Admin\folder_for_files\CONVER~1.CON

Filesize
476KB

MD5
69f287a9eeddffad4f14bab30aef1350

SHA1
0c8772a2132c68248e9db782006894de5966bdc9

SHA256
814dd6b68a315687678d9fb4bd3e1765abb80d8191bab7bb2db993c9e5216bad

SHA512
2bfa9e85d5cb49e821d5df2b22b1e124bb40cd2a73c2ec51d2dc7cf444bcd4db14929cbe1aa427e866f7c0c265e0f564fc18cf408676724f45fba2aca6104c48

Download Submit
C:\Users\Admin\folder_for_files\CONVER~1.ISO

Filesize
446KB

MD5
2f1845fc52690741e2728980719e8e19

SHA1
8bb8104c00b1f1d554f0ddfc83fd098e8341b645

SHA256
fc9e577cdb503b8eb2ce1c7cfb5e9b5eea522ec37807fb1bcc38b715d7368a07

SHA512
fe6fba68e9f5cb2a9c1e6117ead1e656c013337860217ab970542309c136b5fa1d4fe5e942926c4bc172bc7553d6f233f554a4c8ba4d3ed578e4476e9aa83775

Download Submit
C:\Users\Admin\folder_for_files\CONVER~1.SEA

Filesize
397KB

MD5
38cfdae641a1ace75f8ad496993fc58a

SHA1
1f0ce6a4c7774753bb93c7260753a88f978458e2

SHA256
c44afcb533298cf057fe877e1002ebf5c8bab8e3de3879a3e4f83727630aedf5

SHA512
1c751d8aea1ce7be9ed6ddb953c7b1ad2696195c047b7cdd582538ba0e21a17892b268ea3a9036587a65ff080d519683323136e3fe426715104b9743daf9ff30

Download Submit
C:\Users\Admin\folder_for_files\CONVER~1.WMF

Filesize
208KB

MD5
5d84ed886a5a2c327d00b453a171bcfc

SHA1
8f57db7dde3496fc69c481b96534d191c3673acf

SHA256
b632c737eaecb05d293c478f10a186e9197f6175872acbdb318998057aae579e

SHA512
d5b0282688c7bd6a2df9c244a084917316c49383a56c11c7eec1d28eb336e51757a6e5edf8b1c8c0dbf2829bb5f71fd9c23af07f00a5ec77b44a61d1d07d5890

Download Submit
C:\Users\Admin\folder_for_files\DISMOU~1.TTF

Filesize
486KB

MD5
bf5f9157c63937802722513a8eb75045

SHA1
d401719819ddb5127f8b4871e4d4ec4d8f7f2afe

SHA256
e11ada68bbb1e643941d884b8e54a0cf09af68ae4bbb2e9313de97493101c762

SHA512
6f687cc4b1195f9ba09928ed4927506e66ceef079f9856042f77c83f08cd21208779a118741049f903b49708bc3580375fda96708055570c45f2b57566eeda27

Download Submit
C:\Users\Admin\folder_for_files\EXITAD~1.MP4

Filesize
327KB

MD5
a154cc46a7d3344df60cbc002363c2c1

SHA1
330103f509d439cc4914b33b93afa0d23999f905

SHA256
3cfa3a057dafe86f7876fe61e851c47cdf72fa059d907776e0e71f48c5b92bfd

SHA512
17ec6a460225fb036f137e2e9b0d9964e843a2e681198e77f2615e2850b965935039300bbba7873775ad09d904047e90d610906df7387a9bbfa366aa8a481328

Download Submit
C:\Users\Admin\folder_for_files\EXITAP~1.MP2

Filesize
436KB

MD5
0e557b8b1a8d0d3947b4a6aa42901a5b

SHA1
6ca979668c8ffa4215231a98438a03980a66a402

SHA256
b49c1c9d94931a9415ca646bfdfcf259cafde49c1a966da89d9399af3c7d21fb

SHA512
d155e8b6d17b8e141eb55312f26ffeb79203c3180f5de66b74f58e4dad89b49d5ed7958dd82d1ce05df41c5fff8f70a0a0a77213a82db4e74f79e562f072d6f4

Download Submit
C:\Users\Admin\folder_for_files\FINDGR~1.TIF

Filesize
387KB

MD5
37487b10e814581131d2c5146cb1c242

SHA1
c6b50e35943ad9663d4e3f9e22f70cf0d67f8fcc

SHA256
ceedc39aa6af90d2715370618991d0d1028d071ec59028944a213da88923d732

SHA512
5fedcbc6af0dbbe3654ed32a7b763466b8f0123b014a658cad925556f650225929ad4e648676892076f2804e98feae7a78fcd07564d9ada2cf09d797bd287969

Download Submit
C:\Users\Admin\folder_for_files\FORMAT~1.DVR

Filesize
367KB

MD5
ad88d042b6d06bb25afc8790f51af636

SHA1
2259800281211741b2675d1c4d47ee6ed51fb8b1

SHA256
d4340c11f2b359db32f2aed08c2e957ceb911f494156f1baa984aca3ed5f537d

SHA512
1a4bc6bd303045618ed9bdcf283924870ab1f20f28f5ac809c79f3baa317a8f050d2de175ed3b8ca9d9e14c4dc5e7e23804772819571674ddd0d8d605dffc40b

Download Submit
C:\Users\Admin\folder_for_files\GRANTP~1.DOC

Filesize
536KB

MD5
a1eeea548505ba08fbff11bc4e0548a0

SHA1
bac104a7f9c58a2e85ddd6fafb4e0f37c1992b75

SHA256
22dfe5f9b0b02a7c4c772d8426ccabb9f786f0127b429c1daa41d04477b09807

SHA512
2ab55251d27078cc601109e6e36b5a08d492ef32693d43595358e013e1f35df38e611a3e5973d93d1c6bcd8bca67251988c8195e4680ea954b5dab4dcd4e46d2

Download Submit
C:\Users\Admin\folder_for_files\GRANTU~1.PCX

Filesize
526KB

MD5
b43407b9a0a358d03da90b532ee0e33d

SHA1
eebde8d95a31f413aa55baef939d8a10d3024288

SHA256
d7a4e8bdb813a504f50e2e4743c72345684918507467a3e9382c5e097ff3bb67

SHA512
02a08bcc689357740b4c87c3d5600b247ba2bf8e0ea4a2f7c594ab9219042c327873e5e7e5e39ebdf54ebc5c5aa2ed06d36ef8dbd914c71a5d91d56e92700797

Download Submit
C:\Users\Admin\folder_for_files\GROUPC~1.SHT

Filesize
258KB

MD5
a8b72de7a63362d84de3551725f1e858

SHA1
a651522b538206d537ecc9add6cf3297e8a26702

SHA256
7bb9a4d8494156c4de5891dc19604f98b73492910f791b506e889dde3fa4a51f

SHA512
2a49ffa31a91d7427e998b53f72332e6e6f8f4ec23ba9bc0530deecee90e4c5483422bacff2ec61d3d7bf5102a84f490edc99f0c84e66234d03013993bf2f7bf

Download Submit
C:\Users\Admin\folder_for_files\INSTAL~1.OGG

Filesize
268KB

MD5
ba2c5c997f30a214074d5151ff0b2618

SHA1
6bbe5c3b97363e3757ab75f0f991a7729b5d9ea0

SHA256
8cdeef30083ecc5494437f9b749dece81d147c1fdd75fcb606c3b859b260a80a

SHA512
dae20e350a8aa918d1b3bc408c35779e7764945e23d1354c582527ddb88f8d8f4333383e639a99e416954fd0b891b77c374b15decdcf9e9ea5ef2830d7c97d38

Download Submit
C:\Users\Admin\folder_for_files\INSTAL~1.PPT

Filesize
238KB

MD5
672ca797efbea6d7c52403b4ecffa20e

SHA1
abcaebca13dfa304b3f976380e9b34aebe46c78e

SHA256
c11821fd3fbe6084ba91feb8dfbcce4dd6640fc4ef245a47a34679c3e5861d44

SHA512
3bceef5596ea3b00b58f630df0b1e904ecb5b470d6b141d71f7c22ee9013257e25bab0972feb4328b11049869d4e48ba7ada630a6987787ac81cc79b7b1879a7

Download Submit
C:\Users\Admin\folder_for_files\INSTAL~1.VST

Filesize
248KB

MD5
dc7ca711cbe6a6b8a9eff5f7e4071e65

SHA1
4f30807af2dc2ca1f42c0fa5e5200ac5a8a2d49b

SHA256
742a15f9c896096df0cfab9f2d0c5d207773d3b9918d80d048ea7f0efba72e7d

SHA512
b323ed11ed18d9db60c00b1c7037d2d36311060101c6b265ef858c285c2da762a5efb68591a5f580b0cc0ad5d97318f4a00ab2a57030bce6cbd5eb403d107f33

Download Submit
C:\Users\Admin\folder_for_files\JOINCO~1.TS

Filesize
744KB

MD5
3ebdce8f93a3ee0ecda8b326751ed95c

SHA1
5d77909ba5e9505f65fd1f6390364029ae12e3f9

SHA256
66fabae8968f4047258c6b6a5499bd3c140b0b74a06e9e41e13d7b6164821045

SHA512
4bf56514e85fdd1954c9d60d5b235f2dd168d8a137200b3c00683eb6f0171340c8208a38edcddd4e6f8a51c0d9e907869afbeb44129398fdaf0840f07e39e9be

Download Submit
C:\Users\Admin\folder_for_files\MERGER~1.OTF

Filesize
347KB

MD5
871b4541378f28cafa9d302e3c757995

SHA1
9c5cab43cb215f89b2210e273f2f2547133ab9de

SHA256
2627fc8fcd24f87fe12e449c026f1f26df2b8b9be84797d7caad39703d10083e

SHA512
e50c852382dd32831895661535282f22ccba60be61d2e8f59b92746e6bacf8193f35e4e3874bc89c5585dfb8acb8b82c91637ec8bda9ff565b90e070d9bc634a

Download Submit
C:\Users\Admin\folder_for_files\OPTIMI~1.AAC

Filesize
198KB

MD5
86908eb31ccfdb826e0aba29961a2244

SHA1
5ac4caaf1e70e26c36781a1e9ca6bd026104d2fa

SHA256
58a5c25d0a8083a8e8a3db14fd301bf5007a0e68900017350acc09f38df35c54

SHA512
f11dee810548e5214fd6740e9b96e814b8380c9ba91d40765284e2da0e2a604ef1ca30da0ba4016966c23ad8baa7f447bf38ac131136d5b01c593b7ff96b3c86

Download Submit
C:\Users\Admin\folder_for_files\OUTSKI~1.DOT

Filesize
228KB

MD5
78b7ef33f554b25ef058e2fdc579b454

SHA1
af935875150b67af1389446d8b2264d694187850

SHA256
1cc11192e842e36229ec624f008212a937a588f5078f2847540c51445e0c6f6c

SHA512
cc2803407714411769b9cc99a3c36cb4d094a4b6732311cff7b3db268258dc0bc4a91b9b9ab21f210c61d6bf1c24bbf30fed64295bf8c213da5375f44cb1956d

Download Submit
C:\Users\Admin\folder_for_files\PINGIN~1.MHT

Filesize
218KB

MD5
2693cccea8853a2e89d5ac394ffb815b

SHA1
05a6f27cbb2edb7364c029e98ce8e8cc1749709a

SHA256
68af67058c074a96c4beba747c073b54136e8c869dcfd5033d55b7cbfb89fb95

SHA512
ef74cfc55288765777f38facf116a45abaffbbc2abb2527da416b39ea3b720257f25077f251a291e17a3d739c57d2f786546b108805364bf66ad4f6526ebd04b

Download Submit
C:\Users\Admin\folder_for_files\PushGet.js

Filesize
456KB

MD5
52437d6eeccf4cf0695fa7f1015b3fc8

SHA1
7ec0c8dffe5dbe1e3ace878662672734243ce8b7

SHA256
b8df23b76d6894be853178792b32b86db2be9b79d529c250e13125d4907db2cf

SHA512
6abfaca5dc965d968b96605ddc9e847e64da198cb6bbb4ccae56af8eab0f6040afb8639f151c31af72bf2e30e8eb0795cd4a684894b831334a93c5bf62a77ed5

Download Submit
C:\Users\Admin\folder_for_files\READUN~1.DOT

Filesize
317KB

MD5
0054cdb2c705bb2b2087c3790ef4d445

SHA1
1e778da6b3548bb150aea98e088ab5e3357b31f2

SHA256
722f40dc25c6fbd479c7b718147b6cce9c7dd8d071ef0b35fffb87b6bc4946a8

SHA512
6faf74c2530695d23f8401300f9022e45e95233111e0c34e4de9121e437769ec947372bcde7d385c317c09eeeea184f2b54eca0eaf1599d9f2125d9b2c8d2738

Download Submit
C:\Users\Admin\folder_for_files\REDOOP~1.ADT

Filesize
357KB

MD5
f3526198a19b4757c2efbc913e99a929

SHA1
3e8dd5e91cc3917edc496c6a243697b1af44aa22

SHA256
b60956e0aa9cd82f4bb9834fbe708e1e0949973ba665af9cf13f7e97edffcac7

SHA512
c76a909d61e4fbe874d06b5a4ce053e35333a34d67f463783dd0da59e7f9ba33e4426173b5be5b1f2c6d481722c8d239480962232eec4cb9cf90d3e082a4dece

Download Submit
C:\Users\Admin\folder_for_files\REGIST~1.MID

Filesize
496KB

MD5
1a6c6236d996d6f4516f2f841279454c

SHA1
e5736aebf021da25d49b8dfc4f4f2fb0b682771b

SHA256
a0e9a9a4e8cd75ad0b60d0220c6f01a9951ee27d9f047f398f08a5bb384f8a27

SHA512
593974930563046684ae7c8b82714b8d34a86a53137cdab99601b57af795468298d50e2d60ee6b1a7e92e67823512afb5443a33f6ba1d333ce297d397a57fa0a

Download Submit
C:\Users\Admin\folder_for_files\REMOVE~1.XLS

Filesize
297KB

MD5
25ee583f53520cfec82632b69b4d8921

SHA1
a9845668a5aaf6d7fa61cab2e1512699444695f2

SHA256
a92b09b60cce8e91edcb0c743acde8a9af573406c0f2b186db491e7cdc22b667

SHA512
ba2d9bf5a2d92ad2ede50ec391a4ff4b8289b47aeb888f1952f4250c55fc08be592031afe9193ed60181808db5b394b53666654c45aaa39e55fff359e466aeae

Download Submit
C:\Users\Admin\folder_for_files\REPAIR~1.PPS

Filesize
337KB

MD5
e06006158354122d15d9cf3f52372baa

SHA1
5d6760820bd27152d98623177f8f19c7ce3284b5

SHA256
55d2e85f14e972c4dde34c37d9a428c141b9d79dada7acf1934fd2466e67e8e3

SHA512
c2803c7384bd69b50be4d39b1e66b3d49fb7472648b3f55de135d706f3d6d259794985e034917d35ba268bf27b2bcb78ca9e776e59ba9a56d2cad4397e0975dc

Download Submit
C:\Users\Admin\folder_for_files\ReadMove.ini

Filesize
506KB

MD5
d36aab72fadedf5fe1d8b16b6c592d5e

SHA1
3332044a861a5ff3b8dbe66017252582964030a5

SHA256
038664ac86f9c7740da4e68b6c8aa9f145cafddd7aa39db7a83c63c688528ecf

SHA512
e6c744fb2e86337a14b80fc8c7c06216478b1ede218579cdf600deb1e0b81b13a5ed99f88a695cdfe04fab07612bd9d8eca225606a29ea2fbd7d6eb0831b5845

Download Submit
C:\Users\Admin\folder_for_files\SETRES~1.XLS

Filesize
466KB

MD5
0d258c043f693fdebd4c56029757a4bf

SHA1
956553bb5ff181493a23d3a05ee3ddac2cd57326

SHA256
4526180db88d9cf9735de5a6bd846399a3fe803bc8dab64f2f2b5bdd3577f83f

SHA512
6f33eec13a66d8d990eb3da035f7fe3648a13145e9ba64b89dbf16fb1af4d0208a84e732131ea29d70133be40484b96ed452eff58ed6263c43432c966094ce7b

Download Submit
C:\Users\Admin\folder_for_files\SUBMIT~1.EAS

Filesize
416KB

MD5
dd0a57d9d32a3ccc874cc860914d9152

SHA1
ba7ce92711031f7b7f1f4c4871bdbaecf82e6b48

SHA256
6c78e56dd88576d487245ba74dc64af6f99eded244c56f7f1aa824dde25e201f

SHA512
b4f0f953e7dc449ca8f11a031377b9b71f0c3f4d0c4a22829b9a38da19bf5875f5bcf929ab5fee778de4e8cddd793ade7a2e67bf6aba61c0bfd58626f8a71f52

Download Submit
C:\Users\Admin\folder_for_files\SUBMIT~1.SEA

Filesize
377KB

MD5
2650489e2cab89935423d1251f5e8ed9

SHA1
f5d4633de026698a27e6d4932fe603e4a2102331

SHA256
cc99c9c92c344e3e089c3f0aaa86757512da74cbcd1529be1bdc25b33761d0b2

SHA512
7059e620ac4fb77a282852d3eb1acc01e31e88e867130c1e4ef62bbc6868025a9c9482fd66c8f6ac347fc8ea8b643316d83442c4e2bb2838c4ebc6fe37b24263

Download Submit
C:\Users\Admin\folder_for_files\SYNCST~1.ICO

Filesize
307KB

MD5
0f5550d59e824e7b10e41efc16245e30

SHA1
da271b8237734b2d23b68b6feb3296082ce362d0

SHA256
3b8b348601adcaea71229d9acd398960cb483a677d71dc4b5be8acaf73bbb98f

SHA512
41a9e699264b460ffaa589a141dcabe495b02d8fa18d47a4d7be613db61aaa8482ef83aa916c12d2ca61394cee7a02aa9478e2244b8dea7cee3f74131e410ab9

Download Submit
C:\Users\Admin\folder_for_files\TRACEE~1.TEM

Filesize
287KB

MD5
df84f4dddb7fd739676c8e9f1ee47b7e

SHA1
030ebc56a40aef710f45156438cd02e5604fc441

SHA256
be4c953897fa6e6eb68bc4be3afecc95ae922d952691710c8bb849739f040c96

SHA512
ce8412c73ea35f8ce20c843e67859edd566502126dbc3a93e21b467b637453169f59e28cb59f22d4efc080d6b65dc9297ee0127c2f1ab851fb020b6b244b19a2

Download Submit
C:\Users\Admin\folder_for_files\UNREGI~1.VSW

Filesize
188KB

MD5
83e5ad7c98df2446112438299ba9f663

SHA1
9a5335fde163a072faa6f55fc12b3586711e805d

SHA256
6cad32372101c1f402f0a0a3bcfbf806da88c75dd1e1c9ddf724a6ffc8f5fd80

SHA512
0eb00e11e6c817b25581427800c4e3da78ccd21cf64a28d20bee34fc87fe61b66a37595d23488cc0d46679e2088a1e289226b65303f44a1c5d4bd43613f96bda

Download Submit
C:\Users\Admin\folder_for_files\WATCHR~1.MP4

Filesize
426KB

MD5
adb4994c348f104a776d146313fcbdd8

SHA1
a3a10abc5c6813319c67e1a49262f0c19907fcf8

SHA256
50cd36d675db619bb875c4e0ffe19c3d3d6f3b613495b86ef039d90311fa7a58

SHA512
cd66a716ea036158d451fafb6128d808227e2a3c7d78667a9e06c8a94bab534f6b605d70b0c5d05e57114cfdd245f1ec6e8149e3af97fbdaf5401049c1bf947f

Download Submit
C:\Users\Admin\folder_for_files\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\test.zip

Filesize
14.6MB

MD5
8ffd8bc7896e667cf4872b38ef98c047

SHA1
73b178291f49311664106313075eba1f42c42375

SHA256
6a192eadad8eccc442e1e373ad1c6b476cf8dc5009f46683523336f893d30ecb

SHA512
b60f0fa19c2d65d23ee45e788c78ca1995940c6d5f0cd685bfe516dac9d5ef441938f7d6876580716e9309c0616d7e71f4f09c2d256a00565e29d745e4e8fed8

Download Submit
memory/4212-483-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

Filesize
64KB

Download
memory/4212-556-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

Filesize
64KB

Download
memory/4212-559-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

Filesize
64KB

Download
memory/4212-558-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

Filesize
64KB

Download
memory/4212-557-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

Filesize
64KB

Download
memory/4212-485-0x00007FFA65D50000-0x00007FFA65D60000-memory.dmp

Filesize
64KB

Download
memory/4212-484-0x00007FFA65D50000-0x00007FFA65D60000-memory.dmp

Filesize
64KB

Download
memory/4212-482-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

Filesize
64KB

Download
memory/4212-480-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

Filesize
64KB

Download
memory/4212-481-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

Filesize
64KB

Download
memory/4212-479-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

Filesize
64KB

Download
memory/4356-565-0x00007FFA65D50000-0x00007FFA65D60000-memory.dmp

Filesize
64KB

Download
memory/4356-566-0x00007FFA65D50000-0x00007FFA65D60000-memory.dmp

Filesize
64KB

Download