750c111205a75420756345b4a9c7449a59d9573a4be6cbb660aef9d7f4c1b84d

Analysis

max time kernel
510s
max time network
512s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-01-2025 14:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

image.png
Size

32KB
MD5

557824ce778bf500f5fd9ffc79526568
SHA1

b888e5efcc8804b6bec0b7cba401f36f8132301b
SHA256

750c111205a75420756345b4a9c7449a59d9573a4be6cbb660aef9d7f4c1b84d
SHA512

b767fb6d168e615ba249a7b44de856b2feffc053eb2cdf35ae5adbed35508154136215c21abeb3397d8496d486b0d80b655f12693b32ca1eb9f0c528e4024e12
SSDEEP

768:s4XRzAkefBiDj+dHe/Wz43+Lx9l42e4eyWrxeFi0e4hxc:xeYSHecH9l4nPr8FfeqC

Score

8^/10

steam defense_evasion discovery persistence phishing

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	MSAGENT.EXE
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	tv_enua.exe

Downloads MZ/PE file

Executes dropped EXE 25 IoCs

pid	Process
2116	SteamSetup.exe
1236	steamservice.exe
3224	steam.exe
9080	steam.exe
9132	steamwebhelper.exe
9168	steamwebhelper.exe
9244	steamwebhelper.exe
9396	steamwebhelper.exe
9624	gldriverquery64.exe
9804	steamwebhelper.exe
9852	steamwebhelper.exe
10160	gldriverquery.exe
10232	vulkandriverquery64.exe
10264	vulkandriverquery.exe
13260	MSAGENT.EXE
13244	tv_enua.exe
15052	AgentSvr.exe
17316	BonziBDY_4.EXE
17336	AgentSvr.exe
17452	BonziBDY_35.EXE
17940	BonziBDY_35.EXE
18028	BonziBDY_2.EXE
18804	steamwebhelper.exe
20048	steamwebhelper.exe
22756	steamwebhelper.exe

Loads dropped DLL 64 IoCs

pid	Process
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9168	steamwebhelper.exe
9168	steamwebhelper.exe
9168	steamwebhelper.exe
9080	steam.exe
9244	steamwebhelper.exe
9244	steamwebhelper.exe
9244	steamwebhelper.exe
9244	steamwebhelper.exe
9244	steamwebhelper.exe
9244	steamwebhelper.exe
9244	steamwebhelper.exe
9244	steamwebhelper.exe
9244	steamwebhelper.exe
9080	steam.exe
9396	steamwebhelper.exe
9396	steamwebhelper.exe
9396	steamwebhelper.exe
9080	steam.exe
9804	steamwebhelper.exe
9804	steamwebhelper.exe
9804	steamwebhelper.exe
9852	steamwebhelper.exe
9852	steamwebhelper.exe
9852	steamwebhelper.exe
9852	steamwebhelper.exe
9108	BonziBuddy432.exe
9108	BonziBuddy432.exe
9108	BonziBuddy432.exe
9108	BonziBuddy432.exe
9108	BonziBuddy432.exe
9108	BonziBuddy432.exe
9108	BonziBuddy432.exe
9108	BonziBuddy432.exe
9108	BonziBuddy432.exe
9108	BonziBuddy432.exe
9108	BonziBuddy432.exe
13244	tv_enua.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	tv_enua.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SET5F14.tmp	tv_enua.exe
File created	C:\Windows\SysWOW64\SET5F14.tmp	tv_enua.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	tv_enua.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox360_button_select_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\btnDefTop.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\chatroom_locked.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steambootstrapper_latam.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_r2_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_l_ring_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_rt_click_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_r_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_040_act_0010.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_detail_down.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\win32_win_close_disabled.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steam_welcome_large.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7\icudtl.dat_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7\locales\gu.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_dpad_down.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_button_mute_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\offline_romanian.html_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0319.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0333.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steambootstrapper_ukrainian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_r_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_rfn_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_touchpad_swipe_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_r4_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\resources_misc_all.zip.vz.e86a975545f3ab21a77373870cb311ef93934b8c_2224876	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_080_input_0010.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\gridview_placeholder_2.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_button_x_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\overlay_greek.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_button_home_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0450.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_035_magic_0315.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\switch_controller_tchinese.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_color_outlined_button_circle_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_mouse_4_lg.png_	steam.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\~GLH0046.TMP	BonziBuddy432.exe
File created	C:\Program Files (x86)\Steam\package\strings_all.zip.vz.c904f95b8996c66336305408448b8bede03956d6_2006928	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_r3_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\xbox_p2_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_r_ring_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\libavif-16.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_lt_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_buttons_e_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_l2_half_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_rstick_right_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_color_outlined_button_y_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_color_outlined_button_triangle_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_mouse_l_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\ChatMsgNotification.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\streaming_intro.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\updatenew_notification.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\fav_addTo.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_dpad_swipe_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7\locales\zh-CN.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_040_act_0304.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\library_capsule.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\radSelDown.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_lstick_up_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_rstick_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_rtrackpad_ring.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_color_outlined_button_a.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_rstick_touch.svg_	steam.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\msagent\SET71EC.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET71FD.tmp	MSAGENT.EXE
File created	C:\Windows\INF\SET7203.tmp	MSAGENT.EXE
File created	C:\Windows\fonts\SET5F03.tmp	tv_enua.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	tv_enua.exe
File opened for modification	C:\Windows\lhsp\tv\SET5F01.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\intl\SET7216.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentCtl.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentAnm.dll	MSAGENT.EXE
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\msagent\chars\Peedy.acs	BonziBuddy432.exe
File opened for modification	C:\Windows\fonts\SET5F03.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET7226.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\chars\Bonzi.acs	BonziBuddy432.exe
File created	C:\Windows\lhsp\help\SET5F02.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET71FE.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET7200.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET7201.tmp	MSAGENT.EXE
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping9132_268950594\_platform_specific\win_x64\widevinecdm.dll	steamwebhelper.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET71FE.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET7202.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\help\SET7205.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\help\Agt0409.hlp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET71FD.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET7200.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\SET7203.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	MSAGENT.EXE
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping9132_268950594\LICENSE	steamwebhelper.exe
File opened for modification	C:\Windows\SystemTemp	steamwebhelper.exe
File created	C:\Windows\msagent\SET71FC.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentDPv.dll	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	tv_enua.exe
File opened for modification	C:\Windows\lhsp\help\SET5F02.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET71FF.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\agtinst.inf	MSAGENT.EXE
File created	C:\Windows\help\SET7205.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET7226.tmp	MSAGENT.EXE
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping9132_268950594\_platform_specific\win_x64\widevinecdm.dll.sig	steamwebhelper.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping9132_268950594\manifest.json	steamwebhelper.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\lhsp\tv\SET5EE1.tmp	tv_enua.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping9132_268950594\_metadata\verified_contents.json	steamwebhelper.exe
File opened for modification	C:\Windows\msagent\AgentMPx.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentSR.dll	MSAGENT.EXE
File created	C:\Windows\lhsp\tv\SET5EE1.tmp	tv_enua.exe
File created	C:\Windows\lhsp\tv\SET5F01.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentPsh.dll	MSAGENT.EXE
File created	C:\Windows\msagent\intl\SET7216.tmp	MSAGENT.EXE
File created	C:\Windows\rescache\_merged\425634766\2912441238.pri	LogonUI.exe
File opened for modification	C:\Windows\msagent\SET71EC.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET7202.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET7204.tmp	MSAGENT.EXE
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping9132_268950594\manifest.fingerprint	steamwebhelper.exe
File created	C:\Windows\INF\SET5F04.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET7204.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET7201.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET71FC.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET71FF.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	tv_enua.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	MSAGENT.EXE

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSAGENT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BonziBDY_4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BonziBuddy432.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tv_enua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BonziBDY_35.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BonziBDY_35.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BonziBDY_2.EXE

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.22000.1\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffffc00000001a000000e003000072020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31155697"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff0e0100001a0000002e04000072020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffffa600000000000000c603000058020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\SearchBandMigrationVersion = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e0000005e03000096020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000fffffffffffffffffffffffffffffffff4000000000000001404000058020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Recovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff720000001a0000009203000072020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2801000034000000480400008c020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\SearchScopesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{154F1BE3-D1B8-11EF-9A5E-6274148E5E44} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff58000000000000007803000058020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff8c00000034000000ac0300008c020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffffda00000034000000fa0300008c020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1926102437"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133812505479560209"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.ComProcTextures\CurVer\ = "ActiveSkin.ComProcTextures.1"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3B-8596-11D1-B16A-00C0F0283628}\InprocServer32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\TypeLib	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62FCAC31-2581-11D2-BAF1-00104B9E0792}\TypeLib\ = "{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4900F66-055F-11D4-8F9B-00104BA312D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4043742-AC8D-4F86-88E9-F3FD3369DD8C}\ProxyStubClsid	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\BonziBuddy432\\MSCOMCTL.OCX, 4"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{368C5B10-6A0F-11CE-9425-0000C0C14E92}\Control	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DACB7A39-CC0D-4B85-908B-10D2451761A5}\ProxyStubClsid32	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB35CBB4-A1BC-11D3-8F99-00104BA312D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBDY_2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA478DA0-3920-11D3-9DD0-8067E4A06603}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\MiscStatus	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}\2.0\FLAGS	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\ = "IProgressBar"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BonziBUDDY.CPeriod\ = "BonziBUDDY.CPeriod"	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F58C9A5-9C30-11D3-8F99-00104BA312D6}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	BonziBDY_2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{972DE6C2-8B09-11D2-B652-A1FD6CC34260}\Version\ = "1.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D44-2CDD-11D3-9DD0-D3CD4078982A}\Version	BonziBuddy432.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDC-1BF9-11D2-BAE8-00104B9E0792}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CB35CBB5-A1BC-11D3-8F99-00104BA312D6}\ = "clsBBPlayer"	BonziBDY_2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B1BE803-567F-11D1-B652-0060976C699F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB52CF7F-3917-11CE-80FB-0000C0C14E92}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A45DB4F-BD0D-11D2-8D14-00104B9E072A}\ProgID\ = "ActiveTabs.SSTabs.2"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\VersionIndependentProgID\ = "MSComctlLib.ImageListCtrl"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Threed.SSCheck\ = "SSCheck Control 3.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BonziBUDDY.clsClickTheButton\Clsid	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Threed.SSRibbon	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E20FD10-1BEB-11CE-80FB-0000C0C14E92}\ = "ISSSelectedDays"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}\ = "Toolbar General Property Page Object"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE9-1BF9-11D2-BAE8-00104B9E0792}\InprocServer32\ThreadingModel = "Apartment"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control.2\CLSID\ = "{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CB35CBB6-A1BC-11D3-8F99-00104BA312D6}\ProxyStubClsid32	BonziBDY_2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{916694A9-8AD6-11D2-B6FD-0060976C699F}\TypeLib\ = "{6B1BE80A-567F-11D1-B652-0060976C699F}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DACB7A39-CC0D-4B85-908B-10D2451761A5}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4900F68-055F-11D4-8F9B-00104BA312D6}	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB35CBB4-A1BC-11D3-8F99-00104BA312D6}\TypeLib\ = "{8F58C996-9C30-11D3-8F99-00104BA312D6}"	BonziBDY_2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB35CBB7-A1BC-11D3-8F99-00104BA312D6}\TypeLib\Version = "2.0"	BonziBDY_2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.COMScript\CLSID\ = "{4F7AE601-0142-11D3-9DCF-89BE4EFB591E}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{972DE6C3-8B09-11D2-B652-A1FD6CC34260}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EF6BEC0-E669-11CD-836C-0000C0C14E92}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A45DB49-BD0D-11D2-8D14-00104B9E072A}\TypeLib\ = "{0A45DB48-BD0D-11D2-8D14-00104B9E072A}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DB2224E-D2FA-4B2E-8402-085EA7CC826B}\TypeLib\Version = "1.1"	BonziBDY_35.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\BonziBUDDY.CCalendarVBPeriod\Clsid	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E91E27A3-C5AE-11D2-8D1B-00104B9E072A}\Implemented Categories	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D41-2CDD-11D3-9DD0-D3CD4078982A}\VersionIndependentProgID\ = "ActiveSkin.SkinButton"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CFC9BA1-FE87-11D2-9DCF-ED29FAFE371D}\TypeLib\ = "{972DE6B5-8B09-11D2-B652-A1FD6CC34260}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\TypeLib	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3E-8596-11D1-B16A-00C0F0283628}\ = "ListView General Property Page Object"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDC-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{311CFF50-3889-11CE-9E52-0000C0554C0A}\ = "ISSTask"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\ = "Microsoft Agent Server Extensions 2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "2.0"	BonziBuddy432.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Bon.zip:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
19116	vlc.exe
19344	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3192	chrome.exe
3192	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
3364	chrome.exe
3364	chrome.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
2116	SteamSetup.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9680	chrome.exe
9680	chrome.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9680	chrome.exe
9680	chrome.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe
9080	steam.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
9080	steam.exe
19116	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
15264	msedge.exe
15264	msedge.exe
15264	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe
9132	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2116	SteamSetup.exe
1236	steamservice.exe
9080	steam.exe
9108	BonziBuddy432.exe
13260	MSAGENT.EXE
13244	tv_enua.exe
15052	AgentSvr.exe
17316	BonziBDY_4.EXE
17316	BonziBDY_4.EXE
17452	BonziBDY_35.EXE
17452	BonziBDY_35.EXE
17940	BonziBDY_35.EXE
18028	BonziBDY_2.EXE
18028	BonziBDY_2.EXE
19116	vlc.exe
19344	EXCEL.EXE
19344	EXCEL.EXE
19344	EXCEL.EXE
19344	EXCEL.EXE
19344	EXCEL.EXE
19344	EXCEL.EXE
19344	EXCEL.EXE
19344	EXCEL.EXE
19344	EXCEL.EXE
19344	EXCEL.EXE
19344	EXCEL.EXE
19344	EXCEL.EXE
19344	EXCEL.EXE
19344	EXCEL.EXE
21064	iexplore.exe
21064	iexplore.exe
21068	IEXPLORE.EXE
21068	IEXPLORE.EXE
21064	iexplore.exe
21064	iexplore.exe
21340	IEXPLORE.EXE
21340	IEXPLORE.EXE
21064	iexplore.exe
21064	iexplore.exe
21416	IEXPLORE.EXE
21416	IEXPLORE.EXE
21064	iexplore.exe
21064	iexplore.exe
21848	IEXPLORE.EXE
21848	IEXPLORE.EXE
21064	iexplore.exe
21064	iexplore.exe
21340	IEXPLORE.EXE
21340	IEXPLORE.EXE
21064	iexplore.exe
21064	iexplore.exe
21288	IEXPLORE.EXE
21288	IEXPLORE.EXE
21064	iexplore.exe
21064	iexplore.exe
21416	IEXPLORE.EXE
21416	IEXPLORE.EXE
21064	iexplore.exe
21064	iexplore.exe
21384	IEXPLORE.EXE
21384	IEXPLORE.EXE
21064	iexplore.exe
21064	iexplore.exe
21848	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2996	3192	chrome.exe	82
PID 3192 wrote to memory of 2996	3192	chrome.exe	82
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 700	3192	chrome.exe	83
PID 3192 wrote to memory of 1732	3192	chrome.exe	84
PID 3192 wrote to memory of 1732	3192	chrome.exe	84
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85
PID 3192 wrote to memory of 1396	3192	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\image.png
1⤵
PID:424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffdb3f7cc40,0x7ffdb3f7cc4c,0x7ffdb3f7cc58
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3796,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4676,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4628,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4608,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4388,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4664,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5200 /prefetch:2
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5508,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=868,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3360,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6012,i,7362546585249513350,621435668262386537,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1540

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2980

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004AC 0x00000000000004D4
1⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb3f7cc40,0x7ffdb3f7cc4c,0x7ffdb3f7cc58
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2396 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4448,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4320,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3248,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4340,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3772,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5088,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3352,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=212 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5228,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5268,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5272,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4340
- C:\Users\Admin\Downloads\SteamSetup.exe
  "C:\Users\Admin\Downloads\SteamSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2116
- - C:\Program Files (x86)\Steam\bin\steamservice.exe
    "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6116,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6272,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5264,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5196,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6612,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6572,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4944,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6920,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6176,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3340,i,9431698830169222278,1648944474201264076,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:9680

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5016

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
PID:3224
- C:\Program Files (x86)\Steam\steam.exe
  "C:\Program Files (x86)\Steam\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:9080
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=9080" "-buildid=1733265492" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Checks processor information in registry
    - Suspicious use of SendNotifyMessage
    PID:9132
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1733265492 --initial-client-data=0x288,0x28c,0x290,0x284,0x294,0x7ffd9dcbaf00,0x7ffd9dcbaf0c,0x7ffd9dcbaf18
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:9168
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1564,i,14351134900036674059,3186296345334008177,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=1568 --mojo-platform-channel-handle=1556 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:9244
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2276,i,14351134900036674059,3186296345334008177,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2280 --mojo-platform-channel-handle=2272 /prefetch:11
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:9396
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2744,i,14351134900036674059,3186296345334008177,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2748 --mojo-platform-channel-handle=2740 /prefetch:13
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:9804
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,14351134900036674059,3186296345334008177,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3136 --mojo-platform-channel-handle=3120 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:9852
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=3676,i,14351134900036674059,3186296345334008177,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3644 --mojo-platform-channel-handle=3688 /prefetch:14
      4⤵
      Executes dropped EXE
      PID:18804
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3764,i,14351134900036674059,3186296345334008177,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3752 --mojo-platform-channel-handle=3760 /prefetch:10
      4⤵
      Executes dropped EXE
      PID:20048
- - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
    .\bin\gldriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:9624
- - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
    .\bin\gldriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:10160
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
    .\bin\vulkandriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:10232
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
    .\bin\vulkandriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:10264
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=9080" "-buildid=1733265492" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=1" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"
    3⤵
    - Executes dropped EXE
    PID:22756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5524

C:\Users\Admin\Downloads\Bon\BonziBuddy432.exe
"C:\Users\Admin\Downloads\Bon\BonziBuddy432.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13188
- - C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE
    MSAGENT.EXE
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:13260
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:14940
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:14956
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:14972
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:14988
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:15004
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:15016
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:15032
  - - C:\Windows\msagent\AgentSvr.exe
      "C:\Windows\msagent\AgentSvr.exe" /regserver
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:15052
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:15080
- - C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe
    tv_enua.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:13244
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
      4⤵
      System Location Discovery: System Language Discovery
      PID:13964
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
      4⤵
      System Location Discovery: System Language Discovery
      PID:13980
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:14004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bonzibuddy.tk/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:15264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd9c023cb8,0x7ffd9c023cc8,0x7ffd9c023cd8
    3⤵
    PID:15284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,6541852410934327149,15621744665034701627,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1996 /prefetch:2
    3⤵
    PID:15492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,6541852410934327149,15621744665034701627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
    3⤵
    PID:15508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,6541852410934327149,15621744665034701627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
    3⤵
    PID:15624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6541852410934327149,15621744665034701627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:15856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6541852410934327149,15621744665034701627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:15864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,6541852410934327149,15621744665034701627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
    3⤵
    PID:16128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:15744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:15812

C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:17316

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:17336

C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:17452
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL speech.cpl,,0
  2⤵
  - System Location Discovery: System Language Discovery
  PID:18616
- - C:\Windows\system32\RunDll32.exe
    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL speech.cpl,,0
    3⤵
    PID:18716

C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:17940

C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:18028

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\BackupUse.3gpp"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:19116

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ConnectConvert.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:19344

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Microsoft Word Document.TXT
1⤵
PID:20180

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Microsoft Word Document.TXT
1⤵
PID:20408

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Microsoft Word Document.TXT
1⤵
PID:20668

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:21008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:21064
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:21064 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:21068
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:21064 CREDAT:17414 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:21340
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:21064 CREDAT:17418 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:21416
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:21064 CREDAT:82948 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:21848
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:21064 CREDAT:17424 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:21288
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:21064 CREDAT:82956 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:21384
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:21064 CREDAT:82962 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  PID:6148

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3956055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:22308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BonziBuddy432\ActiveSkin.ocx

Filesize
336KB

MD5
3d225d8435666c14addf17c14806c355

SHA1
262a951a98dd9429558ed35f423babe1a6cce094

SHA256
2c8f92dc16cbf13542ddd3bf0a947cf84b00fed83a7124b830ddefa92f939877

SHA512
391df24c6427b4011e7d61b644953810e392525743914413c2e8cf5fce4a593a831cfab489fbb9517b6c0e7ef0483efb8aeaad0a18543f0da49fa3125ec971e1

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE

Filesize
796KB

MD5
8a30bd00d45a659e6e393915e5aef701

SHA1
b00c31de44328dd71a70f0c8e123b56934edc755

SHA256
1e2994763a7674a0f1ec117dae562b05b614937ff61c83b316b135afab02d45a

SHA512
daf92e61e75382e1da0e2aba9466a9e4d9703a129a147f0b3c71755f491c68f89ad67cfb4dd013580063d664b69c8673fb52c02d34b86d947e9f16072b7090fb

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE

Filesize
2.5MB

MD5
73feeab1c303db39cbe35672ae049911

SHA1
c14ce70e1b3530811a8c363d246eb43fc77b656c

SHA256
88c03817ae8dfc5fc9e6ffd1cfb5b829924988d01cd472c1e64952c5398866e8

SHA512
73f37dee83664ce31522f732bf819ed157865a2a551a656a7a65d487c359a16c82bd74acff2b7a728bb5f52d53f4cfbea5bef36118128b0d416fa835053f7153

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE

Filesize
3.2MB

MD5
93f3ed21ad49fd54f249d0d536981a88

SHA1
ffca7f3846e538be9c6da1e871724dd935755542

SHA256
5678fd744faddb30a87568ae309066ef88102a274fff62f10e4963350da373bc

SHA512
7923556c6d6feb4ff4253e853bae3675184eab9b8ce4d4e07f356c8624317801ee807ad5340690196a975824ea3ed500ce6a80c7670f19785139be594fa5e70f

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziCheckers.ocx

Filesize
152KB

MD5
66551c972574f86087032467aa6febb4

SHA1
5ad1fe1587a0c31bb74af20d09a1c7d3193ec3c9

SHA256
9028075603c66ca2e906ecac3275e289d8857411a288c992e8eef793ed71a75b

SHA512
35c1f500e69cdd12ec6a3c5daef737a3b57b48a44df6c120a0504d340e0f721d34121595ed396dc466a8f9952a51395912d9e141ad013000f5acb138b2d41089

Download Submit
C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page17.jpg

Filesize
50KB

MD5
e8f52918072e96bb5f4c573dbb76d74f

SHA1
ba0a89ed469de5e36bd4576591ee94db2c7f8909

SHA256
473a890da22defb3fbd643246b3fa0d6d34939ac469cd4f48054ee2a0bc33d82

SHA512
d57dd0a9686696487d268ef2be2ec2d3b97baedf797a63676da5a8a4165cda89540ec2d3b9e595397cbf53e69dcce76f7249f5eeff041947146ca7bf4099819f

Download Submit
C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page18.jpg

Filesize
45KB

MD5
108fd5475c19f16c28068f67fc80f305

SHA1
4e1980ba338133a6fadd5fda4ffe6d4e8a039033

SHA256
03f269cd40809d7ec94f5fa4fff1033a624e849179962693cdc2c37d7904233b

SHA512
98c8743b5af89ec0072b70de8a0babfb5aff19bafa780d6ce99c83721b65a80ec310a4fe9db29a4bb50c2454c34de62c029a83b70d0a9df9b180159ea6cad83a

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSCOMCTL.OCX

Filesize
1.0MB

MD5
12c2755d14b2e51a4bb5cbdfc22ecb11

SHA1
33f0f5962dbe0e518fe101fa985158d760f01df1

SHA256
3b6ccdb560d7cd4748e992bd82c799acd1bbcfc922a13830ca381d976ffcccaf

SHA512
4c9b16fb4d787145f6d65a34e1c4d5c6eb07bff4c313a35f5efa9dce5a840c1da77338c92346b1ad68eeb59ef37ef18a9d6078673c3543656961e656466699cf

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSINET.OCX

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Program Files (x86)\BonziBuddy432\Reg.nbd

Filesize
139B

MD5
2d09c4550967184517ccc749ac64ba5c

SHA1
acd119dfb3c583a50fd49e90479b18c7b877f108

SHA256
d125f1f3f53aeed9e0790ae63221ef7b39be2bf66022dcc9ac0a0e32f0755028

SHA512
eaf44d7d5d74947663320be3ff3afbe7ccac600901d9649ae754f75bbff5bb7cba79aa62e05231083017a8c9a96ac1ed70ce179e16da75e4492563869441cfa5

Download Submit
C:\Program Files (x86)\BonziBuddy432\Reg.nbd

Filesize
140B

MD5
a8ed45f8bfdc5303b7b52ae2cce03a14

SHA1
fb9bee69ef99797ac15ba4d8a57988754f2c0c6b

SHA256
375ecd89ee18d7f318cf73b34a4e15b9eb16bc9d825c165e103db392f4b2a68b

SHA512
37917594f22d2a27b3541a666933c115813e9b34088eaeb3d74f77da79864f7d140094dfac5863778acf12f87ccda7f7255b7975066230911966b52986da2d5c

Download Submit
C:\Program Files (x86)\BonziBuddy432\Reg.nbd

Filesize
99B

MD5
4de674e08ea9abd1273dde18b1197621

SHA1
7592a51cf654f0438f8947b5a2362c7053689fd8

SHA256
56010f4c8f146425eb326c79cbad23367301e6a3bc1e91fdcd671ce9f5fc4b63

SHA512
976d5772c2b42616cf948f215a78fa47d8154798abf1148f7f750545ed3de9ec1ecdf2e7e16b99c1459e5519a81301b9c1e6864e992a807b78257f0abaecc4c8

Download Submit
C:\Program Files (x86)\BonziBuddy432\Regicon.ocx

Filesize
76KB

MD5
32ff40a65ab92beb59102b5eaa083907

SHA1
af2824feb55fb10ec14ebd604809a0d424d49442

SHA256
07e91d8ed149d5cd6d48403268a773c664367bce707a99e51220e477fddeeb42

SHA512
2cfc5c6cb4677ff61ec3b6e4ef8b8b7f1775cbe53b245d321c25cfec363b5b4975a53e26ef438e07a4a5b08ad1dde1387970d57d1837e653d03aef19a17d2b43

Download Submit
C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat

Filesize
279B

MD5
4877f2ce2833f1356ae3b534fce1b5e3

SHA1
7365c9ef5997324b73b1ff0ea67375a328a9646a

SHA256
8ae1ed38bc650db8b14291e1b7298ee7580b31e15f8a6a84f78f048a542742ff

SHA512
dd43ede5c3f95543bcc8086ec8209a27aadf1b61543c8ee1bb3eab9bc35b92c464e4132b228b12b244fb9625a45f5d4689a45761c4c5263aa919564664860c5e

Download Submit
C:\Program Files (x86)\BonziBuddy432\SSCALA32.OCX

Filesize
472KB

MD5
ce9216b52ded7e6fc63a50584b55a9b3

SHA1
27bb8882b228725e2a3793b4b4da3e154d6bb2ea

SHA256
8e52ef01139dc448d1efd33d1d9532f852a74d05ee87e8e93c2bb0286a864e13

SHA512
444946e5fc3ea33dd4a09b4cbf2d41f52d584eb5b620f5e144de9a79186e2c9d322d6076ed28b6f0f6d0df9ef4f7303e3901ff552ed086b70b6815abdfc23af7

Download Submit
C:\Program Files (x86)\BonziBuddy432\SSCALB32.OCX

Filesize
320KB

MD5
97ffaf46f04982c4bdb8464397ba2a23

SHA1
f32e89d9651fd6e3af4844fd7616a7f263dc5510

SHA256
5db33895923b7af9769ca08470d0462ed78eec432a4022ff0acc24fa2d4666e1

SHA512
8c43872396f5dceb4ba153622665e21a9b52a087987eab523b1041031e294687012d7bf88a3da7998172010eae5f4cc577099980ecd6b75751e35cfc549de002

Download Submit
C:\Program Files (x86)\BonziBuddy432\Uninstall.exe

Filesize
65KB

MD5
068ace391e3c5399b26cb9edfa9af12f

SHA1
568482d214acf16e2f5522662b7b813679dcd4c7

SHA256
2288f4f42373affffbaa63ce2fda9bb071fd7f14dbcd04f52d3af3a219b03485

SHA512
0ba89fcdbb418ea6742eeb698f655206ed3b84c41ca53d49c06d30baed13ac4dfdb4662b53c05a28db0a2335aa4bc588635b3b205cfc36d8a55edfc720ac4b03

Download Submit
C:\Program Files (x86)\BonziBuddy432\ssa3d30.ocx

Filesize
320KB

MD5
48c35ed0a09855b29d43f11485f8423b

SHA1
46716282cc5e0f66cb96057e165fa4d8d60fbae2

SHA256
7a0418b76d00665a71d13a30d838c3e086304bacd10d764650d2a5d2ec691008

SHA512
779938ec9b0f33f4cbd5f1617bea7925c1b6d794e311737605e12cd7efa5a14bbc48bee85208651cf442b84133be26c4cc8a425d0a3b5b6ad2dc27227f524a99

Download Submit
C:\Program Files (x86)\BonziBuddy432\sstabs2.ocx

Filesize
288KB

MD5
7303efb737685169328287a7e9449ab7

SHA1
47bfe724a9f71d40b5e56811ec2c688c944f3ce7

SHA256
596f3235642c9c968650194065850ecb02c8c524d2bdcaf6341a01201e0d69be

SHA512
e0d9cb9833725e0cdc7720e9d00859d93fc51a26470f01a0c08c10fa940ed23df360e093861cf85055b8a588bb2cac872d1be69844a6c754ac8ed5bfaf63eb03

Download Submit
C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
6e6a2b18264504cc084caa3ad0bfc6ae

SHA1
b177d719bd3c1bc547d5c97937a584b8b7d57196

SHA256
f3847b5e4a40d9cf76df35398bb555117dfe3626c00a91f2babdedb619d6ad53

SHA512
74199ff275400b451642cde0a13b56709735676959d65da11ac76dd645ab11dac5de048ff7ede0cb8adb3a3056b3ecbeb3dc7481bac3768d02051e564c74b679

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
a2ec2e91c3ef8c42e22c4887d032b333

SHA1
e2c738a2e9400535b74e2263c7e7d1ecefe575f2

SHA256
8f9f970835f133258a7f740126012439385bbaa5a1d6a9d0d967a390977441c3

SHA512
b069d241efb19e09ec8b5e60ef6c43e00d5cc0f774b9340127c2180356dd1964ac625c1afdfaee5f99e72b26f56046fc329aadbbc365b403af765a55e9c9aab3

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
21KB

MD5
94f3696217b7619ab79eedf16b045aa8

SHA1
8ba4a84f9e74ee0d0c7ecc452438181aa28642ba

SHA256
0ec4e87edb9472a9532e13a58a215b164d8520739ea2c5e82d2f79858bb05098

SHA512
57549a5fb9a5f8eecc10b1ffe34e9ed7f38d2f5d4072daabe711e4d754e6c603959e42a4842ad94784e1f1e6dd56283032009839055e137e5f4da5cc12a79320

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
18KB

MD5
1aec80069fd8c37a97f527ccd327b626

SHA1
bea7e96a5f8132fe47395376fef857082d46d2a7

SHA256
d9c2962dd820c4f9ee7a6abc6f4b740126e5d1caa494b47ef863be1daee65cb3

SHA512
fd1b628018d38b1607a90d6e86cf48b7d9d434082ad9bfa843b941051a4a7d0a28036c0136ba2e85864e40f01d750864f543a5e6d99851f84250b9cfe6221060

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
14KB

MD5
4d543c947fd1366782a0ddde11b79509

SHA1
8353d4a8b93d31a42abb1c163f476b7b745ec062

SHA256
213c79304f6a70d0713a6454c39425693fd65c2086aceb22803220ee446a1fa3

SHA512
f8daab05d56dc5582febb1cf2d8213715e3bcaeef7f35bf4f496bd30ce1cd0e4d4a12e2f263e30c7a68da54eea11af4372e362ddb0e80bad3a9981ee2394148c

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf~RFe5c4500.TMP

Filesize
184B

MD5
3cdebc58a05cdd75f14e64fb0d971370

SHA1
edf2d4a8a5fc017e29bf9fb218db7dd8b2be84fe

SHA256
661f122934bbc692266940a1fe2e5e51d4d460efb29d75695b8d5241c6e11da7

SHA512
289c40fae5ec1d3dd8b5b00dd93cf9cada2cb5c12bcfefea8c862ddf0a16dced15d6814dad771af9103b3a5d3016d301ee40058edde3fdea30d9767146d11cd6

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\156440c9-a01f-4f17-9fb9-f965313046a5.tmp

Filesize
230KB

MD5
a086bbfe8aab809e2f8fa30fc0c7384f

SHA1
315bbd4942667fca6277d310862e5556d08137b8

SHA256
0a9b62a185fd439b047437ae89c0e131f1b9580087a381ffa8b8e3f0fcdb3dff

SHA512
f2495b3ddbe3b7338465f56d46c9c74e429044901142d4c9988e1d87392071a11d148faad936f0a0d8d8fb08abb5b7ea764d27e0d9b9c4e00c1dc27c7162e2e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
98bb667fc7d700c6b6144094a975d080

SHA1
ea1dfb79b1db7e3973a14a32085445fc21531386

SHA256
ff23a8c24c462246355cd95d7be8ec577adfa213f5394990f7312090cbc08224

SHA512
473c734953eff7ed5e371c5b6db90e4ddebd0c0ddc67da0b4196dd7bc61c683908dc2b0fc90b324190377e8ad52c67e35b2d5752ea0744f77f18ad77df34a8ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\025d9a7e-40b1-4b6b-8dea-cb478c8dc04d.tmp

Filesize
9KB

MD5
38a27fe8755c98ec87b260ed6b2d8e60

SHA1
eed7e1b04ed0ced9656119e4749698f1464ef9c9

SHA256
43531400eb70c33cdf420b7935059529c322773e5f2274a142f6017fb13960bf

SHA512
ce2c8d987d2a1dc02446b11af6f0502f3c83c7fd8f527d854d7df2dbc24ea66efdd6fba141b61329514e37f50d2539b7444b8ff08388227c56488aa8c8f48acb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2c3c1966-d772-42bd-89ba-d6c952dcf500.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1816754acd77231c3c538a0b379da7c4

SHA1
29d99e379867325d466ddaf7b80390bb906d220f

SHA256
286de8dda37388d3edca68b5b671988d2eb03ae1d7e3327ff9c9f24567b88716

SHA512
c2d4d8d1defc6664d13d849b33c3fabcf8a26a74740bfec0e29bed54ac55ce0d1094b3d746eeb2200373662544e70962f7f3c6e15226e1a4d23a9e8327b452c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
40242383120b20e5efc1dcd9e9d1e1a8

SHA1
96b10520413d6a9cdf1d34de082cee4204d8f955

SHA256
d68b72394f2fc1b697c83ced141bd97726a460b3254fc5430ba508ef12d4a621

SHA512
86e975906da8be5a06b15f700fa893c961bf39d498aac3bf7a12ad2620ce97447232a7062d2dc4a729feb0257a73f075c9623aeec1f409891865a04010d02528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
c4d579d308672ec67ae5c41cce182ac6

SHA1
a60bcd5d718a94e46345935384c0f56ebb815d84

SHA256
05ce76881922b816e38dc15ce0cdc41516dd1456ded5f03cd82e8e98b95ff2da

SHA512
a1eb886ab8bb8a14bdb3332f3069379debbef6c74f60342681dd68675e3c578600d38224b204ccd8e2dd6062e9bf12e63d2f2e2557782911da8a641ae510d73f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
4a22e7dd9389d23225a7682a60333a3a

SHA1
d61cbdfe52e57e1afabb1ab02151d02849b3a2dc

SHA256
d4b2f2e271510399c831645806df4a4649c9352dae03d86e135c56c035d208d0

SHA512
3d003a6cc42536a97a1d05d01d8e25bb097b202a873495ae1b79d24fa56ba1d194932a12cc8c87a0e4c5d0aeb0501b34557aefcffa36c34588e78bee6dfeded5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
f0f5b773141e503de4ed29f2229e47bf

SHA1
3949c466dd25d405a694d3f8fc37270701d59f39

SHA256
e7fa492897b8fee3206f15314c528951f384f8dce86cb75a6f693c2470d73064

SHA512
e47af69440ea5564316c4507496be5bc602143aca8733fd07b762b92d3fe758934e41fe3248af83d7b7f434a609cb25b3fe8ccbd785544c4ebb60dae2a8e0567

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
32KB

MD5
52de7f44f31c22b6a66a76329425cd0e

SHA1
ae358fbbbd191873e2fd088ec2d191a1b0e9beef

SHA256
05886748fd0abefce3b3c2d115cec0fee29419429bf32bb06499549a27e481c1

SHA512
28af7737c7135880b1e57db040ba35df8a644ac771e81c866e0b5b086af227446ef6c606164229fbdc92dffc2ace3f4875690cf747bace12beef635faebe1b10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
39KB

MD5
6fb6810622687c37f421ba15a6af60da

SHA1
a348ebeae9d7619eeee40c08628c3ca44e9f1515

SHA256
28b187f2cf38c737c2808d5cd33bfb36e60a5c1738baf8ec5e9253e9cd2e5bbf

SHA512
2c34279909b309ad3174b3bbbedb6c11ac6240523719c2988f5810bbd7c4ef2448f7ad1e9da33228ca0544fcefbc67f1ae5831457cdbca281ff281981c8eb91c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
18KB

MD5
f64670b40c8356c01ed33ba2a19293e6

SHA1
f7ef5950714176d7c355759b77d2531577810484

SHA256
e891637a06f9eff960ce0805d9d87fa2e5172a706096b3711c386fe2dcd3e811

SHA512
eac3c4892481d9ff788354a49692e9739170162dede1b596076ce465fce31a30d188b04096201acb72f6750410e9d2c07e24bc4eb6090ff00abc5ce23965b820

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
26KB

MD5
5a89ebc431d0b96f23fe0ec657eedeee

SHA1
3e9a7e5b03ad24f58a20b2a0204eb68401490bdf

SHA256
0078ab5edea7d5abec2a4176c12c1d23f9eb730f93751c5158448c771d3ad6f3

SHA512
be339c6304329f7d38bb4bc95f0eb10ea4c1f3fd92803c94278f91976b5e8a3fe48160b8cc2c401e6530248e29aff40a2d6047f1cd0f626c9c221f926edc6e65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
45KB

MD5
afd9b352873b6c70c6f0d3d2842af28c

SHA1
a0b69a3678d495c153f514245984e0959284da6a

SHA256
e132b5bad689e1e62d0799cba8137d5eefc4f558cee30687b3a3d036591ebafb

SHA512
d9cd792a4da2f046c4050b5753765ef31a9041044e5c9f01b0b6e75ec60fc07c1dec7c9f1a49a11986331b0b37a82d9ae3e0e6c2a2ea6380bdbf191a5247617b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
108KB

MD5
615b0de6d7c090084d83b41723b6770a

SHA1
333f40646dcfb940b90c42bc90241596fe038e10

SHA256
ae3ee331ead9dccb042cc552882005c6aab51b2802e5f1d042b66691322ca747

SHA512
5556e7bb3481ca5de5f2ba189ada8ea06602f42228ffad160e61c08d7bc34c9e7a47b4170db56b372b6560a957b03136ebb88811c2766d569bf6d236db1c3f69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
72KB

MD5
e29090c98a60b1dd4929fdcdcc86ac70

SHA1
50b77958ff6ba31cf2622bbe7a636a847e48a6f8

SHA256
1679cf15f09f46a49b47faac6c9793d48f02ce0c849ed4a6c9e41391fdb67973

SHA512
247035ea7309b728d4eba29925ea9695f2bf808a91f4de739d44b10f09b382d27c4e5ffe95fb76920f1dbb0207add2020857927571f970952df652ffda165652

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
408KB

MD5
d37b91698dce66341cf45d3120d399fa

SHA1
51af72b44ad52a2a695fda72509fcd099fb8c60d

SHA256
3ae4ff7c13a062d65420fd668d4d1a7eff37990b64b66f539c6d30cdceb5f506

SHA512
05ea7e157876feef5769a3754df7c05b3465e2df57a115342e9543eec29901eb2e7dca8566f83802e1a2e2da4e1b2d0c661626125862f6fec773115a02aa2722

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
64KB

MD5
016f4be1cb6cec68463f97da7a79e406

SHA1
3e5f88dd87f96617d4de4d69c9edcced47d80b23

SHA256
3fca1ea638d7695ddb8367adce13d0ea73d24630141368b36a1ea6f35d4dd223

SHA512
6e601284884276f33baefec86c866003b843e1531d7f6a86398bd4e7bbcfd4ba0250bb574c4fb07cb60c80ba93af399785a9b04dee4d4e6b6dd5c6d3525b49f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
109KB

MD5
5812fe4ec2c7d0217d6b92c7fe01bae7

SHA1
7531b8f8c5cec47d4e0cca30cc83a9d55f93b0c9

SHA256
d402483b6f1971c1f20a0ece1b7005646ae66e0ddc47d40c006511ebe59dac3c

SHA512
692f77212db7b5d6e9976e53ad2ba89a3d60ff2b8bda800c2363342dc5614908ae17d209d59da904b95d040365143501e8d7febdfd6a25d8900d4f4821f1618b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
22KB

MD5
a1f4804245cdb69dd3ed95d88c5df638

SHA1
d420d2f7d7ea2a2aeb0efa38376314d19792894f

SHA256
efaa743a931ed1e4ac7c2e8661fa668b8593a249c466f6a72ccaf63bfef76cba

SHA512
cd140cec9c691a984eb3d20f22b1c8bbec51b0f89ec6028a31980f37eb93981d89f4bd600c829b1c04cc0044673661b72c78287685bede6a33169d1b07c2bfcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
99KB

MD5
2c3e7942dc4ea528a7b7fd908612f3a1

SHA1
25530438805c64566535a22d5cfe68d20b9a4f4c

SHA256
b7a6209bc14a87b802dd593ff28bb9af945350e128555104ba4b2895fee8c41e

SHA512
c7947a5674c34d11237814b9dcc2389f8ccb12a7f23242ede637b6cc96472a062a1f955d25f8774ebb1762e05fa801946f92b2c47891e4d04011843a2e87dbe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
21KB

MD5
15b4fa14951ee4727bc989f69d0c5e5e

SHA1
e2f3ac626ca23c9c6e22199dee8bcdd27b47b6e6

SHA256
6a3f1119d11b3a39cacbc053b6fe3e6c434890aed14f16a0f633bb01ac3badea

SHA512
f7f8c7a3f29a6236c038e45a4cabc0ab087233d49358a6d0745cf04ef611f806df47d17af420a009683ae2ee6835681ac6880d5aed342d2cf596a9c8d4f2662f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
16KB

MD5
5b393c0c819d56e5b5f71e2d018325fe

SHA1
2924564bc2e52218725b0da0cb42eaee1e9cc9c7

SHA256
37e3622dec56b44d0124f2c93387f5652526b0ef25dcba54a7359a989d7f25f2

SHA512
553de8529260d5af76815cc07b15554a921d97a9b83ad22aafa483b7622290dc8bd91a03a7708a5dfef5625af0ecf154662e098f10581e4b051dfdd7630d801e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
17KB

MD5
dd60392e26001cedd02019702094124c

SHA1
fbdb51a7ec62a15d2e499728ee9146066b56ab8a

SHA256
a314d22cc8646933bddf3fff8b799a11aedef79545dc2032cb0531c9f71e86e5

SHA512
b5fa41940b9982c2ed24d377fc9fe7935a178c55c18f3211117586abcf7aa3c04a6853fac3fab953f6cd5470c00cdb4ddc3fdd39b1cf282a3605bc717f6783dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
202KB

MD5
9901c48297a339c554e405b4fefe7407

SHA1
5182e80bd6d4bb6bb1b7f0752849fe09e4aa330e

SHA256
9a5974509d9692162d491cf45136f072c54ddc650b201336818c76a9f257d4d2

SHA512
b68ef68c4dcc31716ce25d486617f6ef929ddbb8f7030dd4838320e2803dd6dd1c83966b3484d2986b19f3bd866484c5a432f4f6533bb3e72f5c7457a9bb9742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
23KB

MD5
f17355cb2e099b0141aa542bbb23678f

SHA1
c36260623798dfdd88eb3b720769b15213b9ea2b

SHA256
e096cc6605a317c9621669ccfd19a7341fbfe4e221e1ad271116219e0188c021

SHA512
692b8818870c0c3783fb7c97708ba99f936f07308d86f2cb8e86307ae2bdc30f82745b0d375cea1773beb87c541309334afe631881720a5646587357679884c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
408KB

MD5
f2adeae61fc74a03b78a85f6238172c6

SHA1
bf0778055f8fc6eb4b71a2404c32008ffa025342

SHA256
50a5e42c39cb2202132403cc3e944c1463de9fa18c84632b91a229ef35223f8d

SHA512
b72ff038d8e1c09ef1636cbe280f2723fc6224f4f9b3a0f369bcd1252d303059673817483ff34d7187d966a7f39be37090fad16c2136ac0fc8682740b9bfe3a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000097

Filesize
170KB

MD5
16da614f99948d3eaca5a68af6875151

SHA1
6d25040024fe8f7318f971f076aebb28d1de71ea

SHA256
bf8f4188c758912ec28e52498880a69a48cf18332914789144d5ee90ec5f40ed

SHA512
ca1c924c2a1c8bee9fc27d397bb205e99bb0a7b9477e8165c2b13f8548531cf180bccff7cfab0cb60547fb81298df54071c496837ceeb1b951d2352e3732f513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000098

Filesize
323KB

MD5
1972a412be3c6ef434b232ff28e8d6a5

SHA1
a26b657098f42079b76c121e5bdd662e5c788ef7

SHA256
e437741cee1a6752061c4420c975eea80370b458e7401afa19ab4d42c86a7423

SHA512
90322f73c147abacf94c2a6a376a6e0f39bde2255e7b77ad2ea991fa56db7df1aeeec598a1abd75fee9cfa994e91a16cdfbbb71e9de68a61af3f80ab723b8bf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a2c8047c3c5cfb6b99a139ebb7d9bc69

SHA1
264aced7102291c17872798d7b6eb712c935496a

SHA256
8c0da3e7203a4f0d62c7a262a3a5f76daa51588c0296735b7f20f7691ea076e3

SHA512
f148c10c655ce20cda065ab675862b48d9e78c56b4911794f769446a26936c80b83ca39f3ee4e84d54d5ff57aaddc6c2ad57ea40671a4fb2c40d4dd026a36e0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
1ea934ad92f579a6ffc3ce81dbf2bd1f

SHA1
2fae6596e604f5d439d240945f92b4128da3f542

SHA256
c5864605c5b223290504e6d260ca248a0987ca35b4e2534e6077b37b948f644d

SHA512
0bbd6aa0114f574a63996e4557e34bb3eb51ea87e07455b3bc95175c7f3db2a8275ea2121b6dd1dce08a46983a2845109f1552813dc92e7f91085d330a5e513b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
3192c15af078c1186b04b5f05ead0b53

SHA1
6c98a601d594382fb101ea9079ccbccb88ac2c21

SHA256
0eaa29702f0336e04cb04da84cd210907f8a5b7b7e85bea05db81dab8b7ed7bf

SHA512
3eb6dd8237b13ccde1de66adff9b5851773b2862aaa96dda81bc04062b22cda77a60823d15f07d846e0bdb125602c7cb58d5e83e298a175a9174bd69cab13e1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
30eb80f4242ed50fc12442327e45351b

SHA1
6d3ff5f32f30428a98813ed5ad0b8d1bcf2d8189

SHA256
e541f6ca408aa0780f6c05362c79d81dffa052e9757f707ddcf38cbd8ee328c4

SHA512
ed572319cbda6a3d540115d2252c4e3e22f16499fa62a816d7b38261b1d4dcabab2dba711588a5c3e09855a9f3d3eeb77b483b1a7180c19d2a4c2ddbab6147c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
1b87d7a4e02488e20020c9964369a6fa

SHA1
da1bce0f113a019dfc4bb134b83f6df272bcc960

SHA256
17af0dac97ddcefe0f4e2d64c0bbc1e8c59897bcbba46f7f5bdb455e762c7c3c

SHA512
25b13e5cbdde3a8bea704529c97fbaedf4b774ff592568a6ed8020ec1d9199249d2e6cc872c03ce47764d5b023dab4655b55c76e95649a5e8fe888d8b3ac7563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons

Filesize
28KB

MD5
185d38b130e03880ab14b130dcdbb03c

SHA1
be4458928d62b8ffc22cf4d542c252a882053e67

SHA256
d62b8c77a878698d9251419891ebf9b4fbce7363d755829ddfb5c80e64a76c0f

SHA512
50c11c05c909260cca944ea414fefd84d5e6a7ca1210f036c3667b6adb8e920d50d3a26e4cae1525c8f7f727da2a5de8329bdd40d1a21a1407e9bcbdc3c30b61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
837d12a514276afa146c1d35b8080351

SHA1
a1ed261720d2bbbb895d3b17f2e7931ee2e17ebd

SHA256
7913d92f1d3e0916163ec98f7d5a04bcbc8f33d85e45c770e75d649d91df6757

SHA512
0e02322c0569064374892a479d60ee02775ae9d44f2d1409571806310fd734df334f07befd75d19624803a8f1bc6cbe07edb1e9db7c14c3ff63127e447049e41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
757b9ea60048f3727e8929e4786eb82c

SHA1
9069967fe74ae21bdffdd96ee4db343078754bcb

SHA256
703a2dbb6d2ffa4b01b85cb1c8a564f99b48f62179ec17034ff3f63c1ec06ac6

SHA512
9aa8b259ca220b96be9e3b0d26979594b4c42fdbdfd0fea0287c34704d38de9ef65a756ec16a0e272c7c165b10fe46d0fb45686f9a7c158dddef497ae94917b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
a34bd5ecd3b2b315ff2338eb0e374572

SHA1
af00d20d2e158b55165b099da7d2f99f71043ec1

SHA256
4fd4a01437ac5c4e57a344e059e561bae61cf556208adc6c647bcd08368b758d

SHA512
ae0a57f47917dd65f05bdc67aabccf3e2a17f8d998aace8ca6c0307b08cf5558a8d1830f23acb4fb019c96c7eb7149f1a7101e445dc8fd92c76a59a5176f1b1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
f786e639e3aeeb209d187ce42b6cc334

SHA1
ffc9194bf16459a4c7eab624b6ae7c5e4cfb0024

SHA256
31ed957e03bf34919e5d3147ff4a255f477627940ef01eda0ab4caf520991809

SHA512
b69f112851e9e3ed8876639c904e8321f8ceaa23c7f4db5c6cbe33a53df5162e8cec37831e2265c2c9dd73dfb1e78b6ab6ec2d977268b3e955eda0ff08d7972c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
11KB

MD5
ecdf3b6dd49e8c77c18b4dd08c1ab2ef

SHA1
30d2e39f84c009997d9a9dce094be8f7cd20fb5a

SHA256
ae7f763d74c88206edc3eff5a4affce9f7b1088c16d40c6cc66841c8e479db35

SHA512
06a7feddf4b68695c52449c03d147ef458e0efc9eb7fac0239ce15a7cfe6df6299769ccdc16b869fca56fe9dcf3de54991cd0dfd91129e5067b69c9277a6463c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d6238f28972a9dec7fdbf351d8134b8a

SHA1
8c69fcd22c231585b8a42b2900044796331b6940

SHA256
11c71e61ea0633d2e6fc30993a112b8760808cd98b68640b7a1ca70a0604a62f

SHA512
5449c27bf05e6bbb50f03e0f6a0ef74e4533ab9449a5700e2c5f8b471b47cc5cb7a22fd47ce654ec0e2f017817768d37689a4a412b401d77f7892f72cc1dd5c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
c8bddf19bfc82665c6e7dde323758084

SHA1
3369a2349d4a69b4566936faf50aad67518d300d

SHA256
d8d857fccf22aaa61732bee5c82c3a29b4cb4be0a887a9ea39d71480b6ef3a62

SHA512
9e50608b225f8350bdf90c41ba3c2b2b3ff1621c7586eb4151e4e03fc77222b5220665f4af3394a0091dee145b83944c56dc04002f02b2a87ab759c734f9b8ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
cf6d7a24c090e3f4e09509b59acfb56e

SHA1
1beea0cfdcf494c5fc08ae5dea02beb84f1ec3d7

SHA256
04c44604af373120b839357fd3dd1fedc01960364ec246af2b5340025f98fa60

SHA512
d469624a83e3c96b659ec71afac69ff00b2f698aed467fab6eeef0763c07194e623f6607f169e30ce1ac88e19344322d0c23c7960680d9907202aebaa74c6725

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
350B

MD5
fc551bd1c346cac55ca4906899464cf2

SHA1
2ec8d3d94c700073b4750a2aa9826d5a221a8c67

SHA256
a3ea95ac306fa924df9d47aeb28776cf172161b8728a12652b3decd86a440f47

SHA512
e1727e36d173d9a80eb27a8a1fba9ad414946dcbb20892a0758fcdbe76cbd974a2a63fad10e4958b92dde86abaa556eb4b56e90561f0b891db23403433ef0061

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
eca01d3d56c4d737d8ff92bfc4a6062a

SHA1
3b4b3b350c7cddd8d0deab9064e49d3069839bb6

SHA256
0056a5418a4d1edd7170dd0294af99ecde9c7c475bee6d08428639aa692772d2

SHA512
8227201bf0a35340a730685faa059d4d192bbf89d2591356cff03e93b5440bf5829420d707c1195bf807f5d6bdc8a6ef9f8ba398e447e0f5fc61128d98a201ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
ceecf20829502ff66b2902f6b3360cb2

SHA1
ab6986a49d9e784441c4ba549bf5eb9e7ea9b1ed

SHA256
9272ebd4821cea1a420818bc7d7a8ac17ee354eab5c34f1a7a66c4978758dae9

SHA512
8fa4bbf2fe72fa8e7b9b510e167e36c6d4c4b88ebbb1e6708bfb856e53fdcaf4465035740610ba03b51c45b7a41164ac32c32cc109d88e3f09139ff2a9c4a0a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
350B

MD5
9519e2117299696217f93a72f4074084

SHA1
12e6548e9b865814df152f4a0371e3f20e4d208f

SHA256
e0d55e016d4cd3141f14af3ed1bbff1a70d843befe03a5ad18b250d826d99f87

SHA512
14065455869ac4bf5344deef59154c4219740c9a31b18f41cc300d4f29745554ab48618455a4c4ad0a2c4c60b476e2f98b15dc2534708a30d07d294c083c44df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ca4f4d13f767d86e7843963b69f8ff64

SHA1
7df184c5a044605f1bd46594abe3ee1f7be4cc46

SHA256
dade5cc3b51b2dcc95c862ad67a598550c1f9195c18bc774db38f99a8ed90f5c

SHA512
0dcf33bc3ae7fa3c9a57e3a7fdf3ff60b8172371845d082b78c2b89e4574f062054173d74a696fb41c22ea5a905f073484b89478d2aac29ae27fb03c8c2b7501

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
670B

MD5
553f6bc3a6cab777ff789c549bba8f00

SHA1
11496ea46c2d6e2de5263cbe8d4439759fded68e

SHA256
04404e60b5bfe05714ae8578ea8531d57114ef3eea4b0d92775a5bbb8ca65068

SHA512
f1c25f9e974940beeaa7cc445a1a0cf8148c58d5fbb1ec8732d884c520f5c1553eea4c78129db3699431819d9a4604f99b19f89a5cef819a2e87c881aa13076f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8886805f5a1daf92aab14bbdf8456111

SHA1
ba79e10c1e4e00272a608edc8b7beacd10e1fbbb

SHA256
c8a57a46089b279d006b6919b25e6bddbcf923390cf7b07c8da1f144364f5f3c

SHA512
ac9514c0e80c74e08e48546cc57fae16355ce2f43d3f7cb77ef782c4c3dd8339f761e7a13c8fdf37852c0c062fae49f68d6926b98d97a63763f26f050785dce6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d7e5437c7e8b68f7453041a943cde962

SHA1
834157d04ee5b8b8805386c437cb60e580410ad3

SHA256
a55491ca86d2e1312fd15a87ec11ba2cc47483cd95914a16c9fd878fa8f49981

SHA512
fb2dfe476d29ec919f3659448711dc374c59a04411e6fe8d05109213b16b844f4a0d4656bea2826e163210d19addd585c468e5d0d52f68167ae436b013d4f84c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
8f1eb3e8c9b72febb6219f8177cf34d3

SHA1
6f4daa85cfb8bace075a67110686ed63662da422

SHA256
6819404c0345b2483efeca76201bb761885ee0478fcea6566d1dd8bac6718476

SHA512
2ac368fb57ecc82a5cfc825f676be588ad1de1f069c868bf435832c4f69e027fe7c728cf6cbc77c75dc7f00e055b98e4a21dfd3e88e85b02a86d1cd87cf5894b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b0694cc6c83cdf6d59866ffde6b8868f

SHA1
ac3f5bf140353f36a63630a1500f595f04268f5c

SHA256
3e37b415b5731a9974d3506b7ce80fc1f8297bae8d7ccb3d66f3638ed39afd28

SHA512
b68dcf870e8c90b03be336e94aa4be398a72e5ff7bea8ec6f20fcad20e576ec4f157314825daeacb9c0dca832850bcce87f6e9900c2c104e1ffba76083f95007

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b4395d29de80498a4a1a8e6f1da7b2e4

SHA1
f9f08296b11606b6824be43459ba5cfc5eb8f275

SHA256
e87e7341234b9db58e2472ae13d27e653bfeea6ad617197410d34200541b656c

SHA512
7a4ef01debedde095508fd31d0651e758e6ff8f8f9cd50b0b6818b6a9429710b7755f0ceef4a17d1eaee8fb038a32e77c3c67637ee29eca835452ed958604157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8899c3746c0b4e371b6f11dd28b8cb6b

SHA1
52d8042a84a3465381aa07df1602738542846f3a

SHA256
6dda6427b2dd1af6b0b8e0334e208cc5716d37deed58d2af2cd36a0daa4961fd

SHA512
4e495965c25d35f87f1015cd2ca17532bdad64d39fa4e9fa1932596fa35775a1b8af7e7fbab3e7d7bd218c164a8664b56956a60e8508de6d0cec06318e0e20f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0ba29f935eeb7cd9fbcbffab82a1c6df

SHA1
cdb69d83d5b6f3becdcc098f17702320acaf76cf

SHA256
1c139bfe97c367333989590232f052eedee35318f8c3c9635903f8d0031bfce1

SHA512
7556b44e5eed0e67b6794c5b1efd776d86d96e3a93b62efd9528fb7b2a3deee49bfc69a3a40a088707d2952420c715b29754662ba4bc411e47d7c8b52bbc2ea7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8a904e0b0cf979ae7c30966d27ef2b5a

SHA1
6d8b34476a799b45d50516a90e047146b8e7052a

SHA256
37311d25e88b59cbb9f6c4a8cc57e91954f28f510248b60e6be5daa383fbad86

SHA512
07681da81d6642c28531a5458eca3efef738b7064a80a28af2d900c5e82a6f7fd0b6588785f18bb13f578228bd6de29d7cb640d1f309bb2ca5506f20ad6c1170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4e61bf0ef770b22557ff25397dec44cd

SHA1
82c795026b698effd247f29c9e2f3bc672841754

SHA256
193d71efbbfafd04a8834c34d2226fccfd940d2c540fe0239d6512ace843f2e8

SHA512
085f5cfff26a37c89bc33439f0a890ac164e18665073902f426b4087019b43d9369491d0c92037fe1a62a5d03e1cbcd0b5d9e3cb42fcdda60cd767b83e1d2a5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
149404e2e4101a0573aa9f2ed00f24ea

SHA1
8fd432525c6adf267c807530264a932d19027a23

SHA256
cbda512356663c8cbc361e48e1dc66d2eb01e405ecb61eaea1655628ea5429a7

SHA512
3348ea113d7c20fccc3fe87acbd0e69d6c2e2c54ca8bec99b298416985cdba0a298923448a50e689f3174942cb1d0eff7708d9b65e69f2ec2b919ae3b5e35dba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a78c9b35a9671e5d57dd27d5b6696db9

SHA1
e634aadd9e3fabea8b1c6d9cac59a9cf6ab35eb5

SHA256
f7cf0ffcb5924df239b57e2837e630d91b9007940d063920ab7992bcfcad7b76

SHA512
0db144172b6a9f04d68107d4ed38fe5833554de8036eb0bb0304e78fc67dc5a00eb8438f992e78a1aca40d5a04a47114be59f337b8248b3bc9a85e02d9911fdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
dab17a811a696f19ceedc555e6287f3a

SHA1
f0ded8a365f18f91f60d5c5309f8210b731a12ab

SHA256
1fa213a7d95c3d9b9d912814ab00382ccd45d6c2077bc47521cbd1aa55361118

SHA512
32b501fcd042d042531af34ef4dad48c46d35a4093b00e6394848a720490f9f2bbaa8f31a194813e281c30ab7716cdd2a90c88defb66bd1ccd88a4452a961859

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
daea5875f67258853cd45432c515a4cd

SHA1
7e57227b4762aa1a0116a322bffce36383a2eef8

SHA256
417ca6a04505c5ec37b69bab7ae361723c7348bdbfb23652f62c57c737c975ff

SHA512
d8b9816fd6017878d01678eae85a9ccb85e10c25d5dbc4b9ec05a01530ee3203232d6ef8a46104f85a1f39c0a31fcf25efc771e9ae3a1114a3b77cbfae65ded4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
39e1f2bfa60d404b5bcc755e6d885b77

SHA1
9d85aec4bde2cea13c80613aa0a8f299281eacaa

SHA256
baf3c18de7d27e0133faa1e1e87bdfcd400334a9a220588d6d9a00b2c28eaf58

SHA512
f0e0b210f6f301600322e66a753336799bef64f14d771905b00d35769b9b2e26a0d7a936781628c6b09706126be6e7eb1fd575598b7cb0a653c89b31af8fde2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d120e0aa92bb92a620462d541a096c77

SHA1
2dff2abd3dfe5adbc101668d443f5056588de7f6

SHA256
dc9ff5c52c841842a6b3ae2417227614b9254b41ee84a62f691c4ca249a69cfe

SHA512
25641b24ef4b6793de63790b5afe9ee0d48863ab39bd9469f036798d8efb0562055c6dbe7eb6b40884cace3ce484e8193c361ea4f7e506691498f3466b138b5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
6acd0bf736d22c2a268a63c8af0efcc7

SHA1
0c43e46085f083872a199b2be47dd8d24f99b089

SHA256
833be219254d5bbbd66d14a7a01d934429473709aafde328357df7478117bee1

SHA512
16a6936d4f235917679f77af25e7ac449b33a2afb21912887f359955099f48d97a35e2106fa65d34e3cc8cbfba120dd6423330954a6c490f929fc9d4bc4fd5f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
2d70c5daf760086ba64cf4eebe81d88b

SHA1
ea6e764a5b9be8b647dbf6a9e27ce1f6d715d8e7

SHA256
c46d5aab70e1340dac0057d91b6d46080f8ff1cc3a990f184c72d2e350501258

SHA512
d5a2ebc25fd37b9cf63797e86fded82e845a799d5959c2c4f9774a573e61f4d8b7be420927890f90ac5a0fee80951cea61fddcfcc9b0f2a1f87b0ee5e6652759

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9e2c23f23cd5cfa12bacce324cb7bd42

SHA1
64559f589d315c38af52ee4c8951ed45cf444f9a

SHA256
a1fddcedf78ddb12920f127215d1eb1d87338e97328517622ae255cd96f87a65

SHA512
73b287f429fde9d03e10ccf7ad02bf0ef0bcfcf59c9f78cce86824a3093a7e9cb408f8de5c4f514ac60bad8789fb2d9466313598f8194743eed10bb323c7955a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
75e3d3d46e5c14c0c7fb854332823937

SHA1
8b22a016676603cedf323fde489dc34c69d8faf2

SHA256
79e34c9261468e784e98aec6893811b243f31b39a11f75e9ff957c561af8486d

SHA512
591d883e4146bc1fb6370f8c880d9e3b6621fb035569313553e14e5955eebde9305dad370a1962437edbc5c70dd01ca244f8a69de32e958825b8af1a01d049be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
4643b60ca985b4d102b67e455527a092

SHA1
b259a1acfcd93bedc8fa68749439091a71161640

SHA256
132ccf0c50125ce515f1de29f3bac64b31a6bb3acb559b1e08435e40bc28e00d

SHA512
16eeda69593628704cd6ad8df30585bb9eccfee2c89af4ff305ef3c88c46886c9524bd4b507aa57a34d886aed42aeb0def7b6677d0aeac2864861aedd1edd1f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
1c9f8aa070428a99fecc5209709fb77e

SHA1
775483a069407246e6c54c5005aec111aa2b5cb2

SHA256
adfe4aaee5f02c0a6915f7c31184b4511d6a7426a1b76229f40515eb5c90ea9b

SHA512
919c0b7f087efa7314d56cb14db71d6e23cb644d73b858bf5faaa22410f3bbbe43beb393c43d3960d35615dc8cc371debe47e2ec0737e072ad5f59cdeb129a24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
536eac2c64b9fd6ac8649d0b0607875b

SHA1
b32db0a8591f42cebdf632ae9bfae797e9822378

SHA256
3270ce6b82f4c17de569fa155450f30edfbc6bd84153293158c54ca60f8151dc

SHA512
b5a6d88f606c542f8e2ccdb1b606d1acf4fdb03f9d47bed6eeba9ac89e9c0e870980e4c1cc32cd307cae568d608d34a672e1643264001c2bd64a475d8f87383b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
f6332ac140fbc48b4d6ee7cd8aa4fa3e

SHA1
14fbdc737999a300be031bb9779b4a44311f0886

SHA256
3e8b01194dc6ac9552fb5f0febf9981e4a4c7ba8192858ce024005fb1a9431ec

SHA512
44a39d4a99172a877cf210e53f1883966668dccddb20571111d4ff7a22ea7a2f75905ddd288f9180a60339d11a042474c3e1a0f3392d3919261811b545b51936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
072b9b8df339bb451889be6196810bbc

SHA1
4d6847a1c71fd65e4859a09a50562ff4cb6e551d

SHA256
bad2df35505aa0c6eb94b6929133d83c5432db076f305324b8b6dcef313eb410

SHA512
1f0b30b67b2fecbdf8ba09cd028fc412ece6f263b643068164b4ff7e1dae3db3c30cce657eee474c05bdc62c7458d6a4ecb61905ec8ca04fb430451f630baa50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

Filesize
3KB

MD5
d877601486768956acc8a72b65dc8452

SHA1
f6946015486565efffd4417dc98825d2ba4198cb

SHA256
75618aad468c99335ccfbaa2fe492b068d0e6fe38ea0e92a52db43198129cb05

SHA512
0ac6027921677b5cbdce7f71396185ee4a79abc908b99faa426b9433d9501b224e4cea7b9c33bb5aabc2c4dd257adbb0c50e792aa8066d8105424bf502e7e4bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
333B

MD5
37126ff7f0b3bc14fc20fb0cb174ed34

SHA1
b700aee8e263210a0781e2ccd1be1f44284e3594

SHA256
6c1f7ac706a9a764514a0a22c1fb0d8c4b8386c586ccb6144c80999556740527

SHA512
f6a8892d396b3d448f98dcb434318b043681d1e2bffbdb36a1e3159f59f594c2295dd4a07aa72f7384006e43897299105f6eb1b5c9097388787366162f58dd89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e38c7da5f71ecf1ee914dd9491976afa

SHA1
d667954e1ed35a97257ac85733fed7856fb293e6

SHA256
d2387d0aa56b5998523643415a8981e3669065a31d0d756648667a9f7438ac24

SHA512
ceca86cdce4190fa4a01ec0988df9c7802c6da425241f7f857da82be2d64d1aff8f9c723592a3b45e49870703c5553275761cb7993361f2475fa3a91b78b65ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
318B

MD5
3d0a9cc6feec7493ee2fd18f71b45f65

SHA1
08d1f626105e98848bea8f300b1d61a3af254d6c

SHA256
39c2c83696317b706c9a54d462f55642c942c77e227549af4f18ff1e27482bf0

SHA512
a7c78fbfcbe675356cf9a3a488db19683f72323e5686ab35926299bb90febc3b9bd30dddc51b74149e2d8a7b679caacfbca2074f4a651934fdf297989617342f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

Filesize
128KB

MD5
2046bc1c27474057ffd77bb34a8dd91c

SHA1
75343cb2eddd360347f50bf2d027984cf2d7862a

SHA256
4b121606142e2205e380510e3e238f77b3231806b2e150eb75fa1f3a372c31e5

SHA512
08134783ef05632bc77221a58fc849b4e7f2c08830949fc996a946f2a4d33acefe8fab7e66566b48e3d461e9b0b94663bc5efd58bfc5c117cabfa474f0788daf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
114KB

MD5
c53ec70aea74abdcf7fa2fe6376bfec1

SHA1
3cba1e9a4a69b9a0420d69848898215e2d249cb8

SHA256
042dbdcf8257fc7a1db40544be103de10328b904852ce7daf93b967b12ad9678

SHA512
f2a93772689cdc234232c209702f7a87c683e7a4b8e236877a3145e7aed65719885450eef8e31b1909d54cc60ed2fb64ef4313bdd09de4d7a6bb7256b6a51ed1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
713c48a7424ec09505fd9eb472ad615b

SHA1
c0f93291b6a50ea556a15758f9226c0ff15b3c67

SHA256
749261e74274f0b8c189152a68c8c34efa0e670859162aceb247c895edd3e2a0

SHA512
7d909a7bb94b313ddc7f95c6521dbe999ae39da56f0ababaf7b57097ce7c43ea5c3d03d50ea4442d9c625d670c2e240ab71e7fce24d30ded44bdf0027069ac38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
0add5e1e73aff4016aa96838d8e82d31

SHA1
93bedb105343f53846e8060d52dd3970283dc149

SHA256
e7297b0fdfc4ab54d61a58aceb977f31d3831643d6d25c48775772a6f49daf9d

SHA512
fb0c609f61b951bda139976bc7989a827203ce34fbc33bf4ec96a19ff02398b644db878be874fec5ac009c4654c90bb681ef31ae5ef6268ecb91a305fa19dea9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
218d68a6a466217b0552e82ada145fa2

SHA1
798e02c9e08928972869e92ea8486f2fdb375818

SHA256
38b86de60f81e9deba68a40eeec4cd26080ed8b9011c944dec25dd1ee53cc8cb

SHA512
9e51ecf187408da793c5cbb8809ff4ea4ceabb997c9ae623ac8a26a3b76ec6a593111babef2339b4d29e44057e717fb565abd2a2d9ee34e434c619236540d600

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
830d5f8b9325866301be528b6523988a

SHA1
7f36cce994a880a7d5cf870b6551ede6f79a2f0b

SHA256
5e7f1b683e55f42e79ef9c488e3a7fb67bb2c970aea90cb1d36352eca1862868

SHA512
2f0fd0a3897a2fb06dee755b02132fb49d69be46ae4ed2b624e186f520a3b9570abb6f8cb13f95b43fd30ea34a5a83232ec771919013966ce67729d861608637

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
86e6eb1ef050812b61017b636c9492c6

SHA1
e620dd01c5db73b9f0c8956f33a6e7460fee4144

SHA256
9a60de8fa5b8aa0d615d485c0aba150de30a66eddf1c2d4442328e1d7693eae8

SHA512
00c8b44c4ada476b48628228309f517a2cf41d6ad01c77dadd54ba50800b572805426c766235fb6d977c2cab44c5b5e4d3552d534d353080961b780ee893d1b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
cde64e74ccc08b5f33781e1e67f07fe4

SHA1
c4eb5605cd8019d05a886ee8e77c8cef9eded8f6

SHA256
216e4d1814d14335b544112e086dc016379d88d31dd93f03ec1a7044e3ca8862

SHA512
fc521e0381838a5494848a3add3df6e614c598ffbe7d0c0d2d9c26f3ca03f4f5621120e2e3e051dc3fa8d053bd695d7d75dc742f808426b38653582822801336

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
38120b5a9c4fd946837097aa259b40e8

SHA1
ecd906555741dd5da5f8d5011e18f28762b774d5

SHA256
c4869ef0b1334e2f4de843c0897ef294d314d20e1e1da26f31768130f3f94128

SHA512
3d9bce4c9b21769ccefe31db371cc20c61a87af850311a045e9a965871e05364f36fd507b0fffc2e4a51720e635e42937f75abaffd3afdcb02fbe608362e2aad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
f3252d4bdf409ea4c64cb23349924d62

SHA1
6e13463c65b4bb5caebb912e21ec8f457fae5a43

SHA256
a056dd61ee10d3881b82660548bd956955c7e465388ebbe6792580610ffce4d1

SHA512
df94f6c1c84961720ed5f40b4fb2146203f16773375727913bdeef9235e485bff7a2b0b9491c850d48299fc40fff065024b321ccd0545ed4e377c0c06e68ffe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
507c40fc13ca415cbb3d5dc6cf7e491d

SHA1
39a7db60cb8718dd212b3f41b0d1bfd179490652

SHA256
3d1944a9b7aab4b611a1044f90afe7ca3f3b0d3c79f0a9959561333195e5af64

SHA512
7fd860b0a9cdc0fd21ffa0daff331e2a53f16912d4ef6c0500e915c4a9d5a7086ceb655e3e0e95b8a86e6b9736d6a57bbac3637432d28a34100505750a15826a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
7bd7b81da57b2c9e731493ac3e969d29

SHA1
d12c0582a84265c73a268576216a2cb6ffae9653

SHA256
ffe50b3b779279c61b679dfd1873f3b74d58f2c1fa6b69a4a19c35385fa5d106

SHA512
7c516a0a9f9ad00816b00d91855f069f0a6a9abb5a0db9ad06374cb9e4a7f94dab17c37386d44608e6b2aade82410f6e875f5b0fce79c8c6ef0f68721dd015fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
d6c5e1f67ad593d58c0f732abdaab782

SHA1
6af3a8864fd04f8bb4ab537c2435ff6fa1738add

SHA256
b3034bfc1f8784c9fbdd3d17a24b46e94623cd07ae76f48149d3f1f712f448af

SHA512
6f6588b3b86daff307c884d3966709683238755fe0de99e0a954da55a818c4e437601cb50e5443edba69a315efe5c1e1eb027b07917228c01ecd60cc6e3842db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\ukm_db

Filesize
28KB

MD5
16c2f77e57070f51f19c61752350b3c4

SHA1
340629889563d66b81c55dd905800115a60a966a

SHA256
dd0f75208bc82b8a1bb1f2c44370217f8229f2fb1215d6643f7d8a1b23898f33

SHA512
9780c5e0edecf7cdf040a130015dd8026b8ac6baa36639cadb51d24804cc877c1b0f0cfe5d7c1e472952433a754ada8b828695dd212030e6c72cf7835762c752

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\ukm_db-journal

Filesize
20KB

MD5
3d0fb3044c661de613a0e963342b7dfb

SHA1
d6c6aef23c8709601d82207cf1f10a5fb52770e8

SHA256
d2162866ebd3d59fa6eb7ae34225007fd718b26d85c7a308bf3b0dd05af403ab

SHA512
5bf40bb44920bd7ae08b04140a4f79791193b6b80f90e5ae4a0d9c1dfc8dd479f5a709f8087396a05703ddd83fc93947ec9344d476548bd26175eb2b0445895f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
09d24a629f2a5de371f64640e1c7ee92

SHA1
876a30562886cc036371a883438afb7e53aa1ac5

SHA256
e8d47f20c0c9ea0c00d6a0c15c0be6512c835d945768a87dae1446c79491ccd9

SHA512
67ac8744f061a75fb2a062ba9c929e627256e089a78d138f0dd332c4537b13f05e8d14b692e4e3598fc71ebbb4f475005b01d7cef9d15876b8d8975881bc69ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
969B

MD5
0a853539a0c5872d6a1ae3fb009cc275

SHA1
6a59ef3ef3336a1c76dfa7f71386edc79bd91014

SHA256
4cd28f59a41318213789ad2b926fb8958fd9ec9e203fc8e5ed65c17fb46f22f8

SHA512
a21bbfcfc9fc3c4f53716d65350a796349d0bdc5262c037788173dede08b165e1f6c9c1ec7619879b9e1ad4f547c7f2831ed96f57eec189538d1b24e5a83ea81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2e385918abfc78b6822d4f446746b48e

SHA1
6522c23c726acff5afe2d68fe8c1eb142efd28b0

SHA256
a8124f6bdb07a40f854e06308de4130a77af3eb552392f9cd8e29ca5a6993b5f

SHA512
b64ef3696235d1d97b9311e34680c99f209837f3438fb760c57dac27b2cb6c49c9cf6f2788c3aa12f081c8fc3d8e871acef1433b94855b724d7b21f3892de071

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cec396ff7d666b34f0a3ae7d6ed4570a

SHA1
3dde9d8e3c1ad08984d48200dedeb3de39543ffb

SHA256
fa255a0efe269d7c3b9094076564dfb9873e2bdf5689d65acaa32136ed74e191

SHA512
b696d83766006cb6e1d95ac6a9800ad7133f3eb7d9f33bf5f1687dfbc592bb743219905919816842a43a91d107e6c76a352feca28f668c384dca4687ae556887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
630b53689f47f8263c1d897ba76007d5

SHA1
e5b44cc4d9e55b5ecbe2bc0525c550ac8209d701

SHA256
11ef6b307a1c0e5c307cebf2e564b26886362d02a795b7404e6d715789f27ba4

SHA512
81cb8665a3e432569df78121d62be584b4881b2e060620d0fc6f8fb57a9cfe2fd9b46a34e366f313eacfc20dbbd29649c573abd2c5395966f4f2e69faa67ba64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{27323E43-D1B8-11EF-9A5E-6274148E5E44}.dat

Filesize
4KB

MD5
b95ff1cd7a762f11e3b9afdaa32b0424

SHA1
3647ea158d7ef4ed3bb428d88a3593c531544845

SHA256
0cef6043bb39ad951ae8cc75ef8108f2df7eed27b38d0aa5ae290934d3bc4178

SHA512
7730917110eb7ccc1ebdf705be3740a1fe1e590d45ba3b9225405e023c23022a2b7d0cc45c9f4d508fa1b948fe4fd8cd78e7681fd970271f93bec0cbc3982f76

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
6e1c409e1983e60f653164e66af1a3d0

SHA1
b94def979812355319879675b4a2a0dc9f10dfea

SHA256
eb1733b7f38291cbbe855afd4b5db85d57b34d5e1e12a83a0c91e880930aa3ff

SHA512
df3b5c0d30d770efbf3cdf7de24dccada141f42c8127b23e031ea920b55e1a81ee89c31a5da344b9bfb62b25a08b96402b2b28f38e1226435b2e51d9e0d1846a

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index~RFe5c9717.TMP

Filesize
48B

MD5
9e62a738b2576394298323ec37ae460f

SHA1
f03be07d166a5b6344fd2ef5b6727b210ec057bf

SHA256
8a1d5e1cdf8c2fd2c4733a3c3ea165c629d689bdac9ec39d976d174f66876bef

SHA512
76a682086fe9b0a74158f899bc11af25c66655bc167c72dc2cc50a2c7f78b2941bf0e4c9df15833b87a92deba14d764b269ae9eeba3611f8c2a651e90215c3b6

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

Filesize
710B

MD5
e4cddeeeac38476dfe72c5a4ad2763ad

SHA1
5cf6413a9b6238b2b9cc040486a2d78dd292ee42

SHA256
4c1fc319d31f95505eb2eb62a1edfd651f16c14ee7aae82a3c582a3069be3b53

SHA512
dc046d3fe797fdff6e5b291075c3cb1c4e83d52d1c5c4b3bebe869bdc6c43eddbe7d6df5b1e05966272458d78fcdf7551af8e52ed2973db83e7ee8b290457fbf

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

Filesize
822B

MD5
60f47ff7d027b9ba9e63ac9124a3f344

SHA1
7c281af392b5f7ba5bea9ccfab41d1b128a9257e

SHA256
89e52347ef32d24ac63bc9171a2a490f4f2878129665d3b036538d9f59388817

SHA512
baac0b3e06754fd085d753aab14d8f5341f13960e487010385d686f81c7c0efed9c4f50186430eba55af0b552cacf2bdea4161efed5d040339998c61e519c288

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json~RFe5d5268.TMP

Filesize
529B

MD5
edad5368b6b5e5f2acbf3558995bc21e

SHA1
d5a6d4530220ec36d85831137022996885b8b607

SHA256
fdf071424392ae72dc0efe9243cc84c811d09704491bea3cf37640e27cbf5ac0

SHA512
d8785c954c335f74befdb272a04c8d3526ea9ea911ab5b50364654bb45fd391d974b56cce99478de161b6fba39964b5142635a3624cbfe48ffe8da4b3ba9f31a

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
300B

MD5
8bb0924f17b652ad0205be92f08ee0a5

SHA1
4f33f222ef6a0cc9b16a54eaf79aecbee5a4e5a9

SHA256
1258bff1fdaaa7115ea004643409d83cc971a22bdebaefb42eb1319234fba373

SHA512
cfd425be291b84469a3a4f30c1cce24504f6b853a61a3b9cc5cded071c32ca7e9442c318fa3cb29eed2582b29fdbff4ce510e4a2544d10921c4c1f4418a1d8b5

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State~RFe5d661f.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

Filesize
8.0MB

MD5
8e15b605349e149d4385675afff04ebf

SHA1
f346a886dd4cb0fbbd2dff1a43d9dfde7fce348b

SHA256
803f930cdd94198bdd2e9a51aa962cc864748067373f11b2e9215404bd662cee

SHA512
8bf957ef72465fe103dbf83411df9082433eead022f0beccab59c9e406bbd1e4edb701fd0bc91f195312943ad1890fee34b4e734578298bb60bb81ed6fa9a46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp

Filesize
8.0MB

MD5
596cb5d019dec2c57cda897287895614

SHA1
6b12ea8427fdbee9a510160ff77d5e9d6fa99dfa

SHA256
e1c89d9348aea185b0b0e80263c9e0bf14aa462294a5d13009363140a88df3ff

SHA512
8f5fc432fd2fc75e2f84d4c7d21c23dd1f78475214c761418cf13b0e043ba1e0fc28df52afd9149332a2134fe5d54abc7e8676916100e10f374ef6cdecff7a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0003.tmp

Filesize
8.0MB

MD5
7c8328586cdff4481b7f3d14659150ae

SHA1
b55ffa83c7d4323a08ea5fabf5e1c93666fead5c

SHA256
5eec15c6ed08995e4aaffa9beeeaf3d1d3a3d19f7f4890a63ddc5845930016cc

SHA512
aa4220217d3af263352f8b7d34bd8f27d3e2c219c673889bc759a019e3e77a313b0713fd7b88700d57913e2564d097e15ffc47e5cf8f4899ba0de75d215f661d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0004.tmp

Filesize
8.0MB

MD5
4f398982d0c53a7b4d12ae83d5955cce

SHA1
09dc6b6b6290a3352bd39f16f2df3b03fb8a85dc

SHA256
fee4d861c7302f378e7ce58f4e2ead1f2143168b7ca50205952e032c451d68f2

SHA512
73d9f7c22cf2502654e9cd6cd5d749e85ea41ce49fd022378df1e9d07e36ae2dde81f0b9fc25210a9860032ecda64320ec0aaf431bcd6cefba286328efcfb913

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0005.tmp

Filesize
8.0MB

MD5
94e0d650dcf3be9ab9ea5f8554bdcb9d

SHA1
21e38207f5dee33152e3a61e64b88d3c5066bf49

SHA256
026893ba15b76f01e12f3ef540686db8f52761dcaf0f91dcdc732c10e8f6da0e

SHA512
039ccf6979831f692ea3b5e3c5df532f16c5cf395731864345c28938003139a167689a4e1acef1f444db1fe7fd3023680d877f132e17bf9d7b275cfc5f673ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0006.tmp

Filesize
1.8MB

MD5
b3b7f6b0fb38fc4aa08f0559e42305a2

SHA1
a66542f84ece3b2481c43cd4c08484dc32688eaf

SHA256
7fb63fca12ef039ad446482e3ce38abe79bdf8fc6987763fe337e63a1e29b30b

SHA512
0f4156f90e34a4c26e1314fc0c43367ad61d64c8d286e25629d56823d7466f413956962e2075756a4334914d47d69e20bb9b5a5b50c46eca4ef8173c27824e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLL

Filesize
40KB

MD5
48c00a7493b28139cbf197ccc8d1f9ed

SHA1
a25243b06d4bb83f66b7cd738e79fccf9a02b33b

SHA256
905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7

SHA512
c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLL

Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLL

Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLL

Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL

Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLL

Filesize
36KB

MD5
b4ac608ebf5a8fdefa2d635e83b7c0e8

SHA1
d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9

SHA256
8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f

SHA512
2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL

Filesize
60KB

MD5
9fafb9d0591f2be4c2a846f63d82d301

SHA1
1df97aa4f3722b6695eac457e207a76a6b7457be

SHA256
e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d

SHA512
ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE

Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL

Filesize
28KB

MD5
0cbf0f4c9e54d12d34cd1a772ba799e1

SHA1
40e55eb54394d17d2d11ca0089b84e97c19634a7

SHA256
6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1

SHA512
bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP

Filesize
8KB

MD5
466d35e6a22924dd846a043bc7dd94b8

SHA1
35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10

SHA256
e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801

SHA512
23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT20.INF

Filesize
2KB

MD5
e4a499b9e1fe33991dbcfb4e926c8821

SHA1
951d4750b05ea6a63951a7667566467d01cb2d42

SHA256
49e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d

SHA512
a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLB

Filesize
28KB

MD5
f1656b80eaae5e5201dcbfbcd3523691

SHA1
6f93d71c210eb59416e31f12e4cc6a0da48de85b

SHA256
3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2

SHA512
e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTINST.INF

Filesize
7KB

MD5
b127d9187c6dbb1b948053c7c9a6811f

SHA1
b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9

SHA256
bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00

SHA512
88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL

Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcirt.dll

Filesize
76KB

MD5
e7cd26405293ee866fefdd715fc8b5e5

SHA1
6326412d0ea86add8355c76f09dfc5e7942f9c11

SHA256
647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255

SHA512
1114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcp50.dll

Filesize
552KB

MD5
497fd4a8f5c4fcdaaac1f761a92a366a

SHA1
81617006e93f8a171b2c47581c1d67fac463dc93

SHA256
91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a

SHA512
73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL

Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL

Filesize
4KB

MD5
4be7661c89897eaa9b28dae290c3922f

SHA1
4c9d25195093fea7c139167f0c5a40e13f3000f2

SHA256
e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5

SHA512
2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\andmoipa.ttf

Filesize
29KB

MD5
c3e8aeabd1b692a9a6c5246f8dcaa7c9

SHA1
4567ea5044a3cef9cb803210a70866d83535ed31

SHA256
38ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e

SHA512
f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.dll

Filesize
1.2MB

MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.hlp

Filesize
11KB

MD5
80d09149ca264c93e7d810aac6411d1d

SHA1
96e8ddc1d257097991f9cc9aaf38c77add3d6118

SHA256
382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42

SHA512
8813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.inf

Filesize
2KB

MD5
0a250bb34cfa851e3dd1804251c93f25

SHA1
c10e47a593c37dbb7226f65ad490ff65d9c73a34

SHA256
85189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae

SHA512
8e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tvenuax.dll

Filesize
40KB

MD5
1587bf2e99abeeae856f33bf98d3512e

SHA1
aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9

SHA256
c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0

SHA512
43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswE76.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswE76.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswE76.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswE76.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswE76.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswE76.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3192_1293540554\6b7fd29b-a752-4232-add6-6269d5824661.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3192_1293540554\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF43800641C131D4BC.TMP

Filesize
16KB

MD5
2c3154ed842a89fcc9cadc0a49583234

SHA1
08f8cdc287b506f89d9e6fa77c6e23a789c7dbc3

SHA256
d53dc5f9aad2dd074133ab6ed8cf7da202772adb27d485fdcb0cce6eca523b27

SHA512
d6655329e63851990d36170ef4a232015c1037158d6f3503a52abb44038457001bde69439c3de980e0fb04f8ba7d93867958c507a8b3df06a993bd144089be2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
365B

MD5
fbc0c81ee26e895b9a248c24e9b210ed

SHA1
eaa1ef58f6f6d87fb0dad27011387e4518e57963

SHA256
01f86d15e1ed09a19730bc17b52b6449a25ec2bec5198a6e85edf29c1ced5afb

SHA512
03814dfbfe9e46a91dfcaae54433813ce0ab250743fec0906dbfc8d637db85c21b998db41fd8c5e652c00c870b01c7642fe7bf55b37175c086993f15dc6a826c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 548066.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping9132_268950594\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping9132_268950594\manifest.json

Filesize
1001B

MD5
2ff237adbc218a4934a8b361bcd3428e

SHA1
efad279269d9372dcf9c65b8527792e2e9e6ca7d

SHA256
25a702dd5389cc7b077c6b4e06c1fad9bdea74a9c37453388986d093c277d827

SHA512
bafd91699019ab756adf13633b825d9d9bae374ca146e8c05abc70c931d491d421268a6e6549a8d284782898bc6eb99e3017fbe3a98e09cd3dfecad19f95e542

Download Submit
C:\Windows\msagent\chars\Bonzi.acs

Filesize
5.0MB

MD5
1fd2907e2c74c9a908e2af5f948006b5

SHA1
a390e9133bfd0d55ffda07d4714af538b6d50d3d

SHA256
f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95

SHA512
8eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171

Download Submit
C:\Windows\msagent\chars\Peedy.acs

Filesize
4.0MB

MD5
49654a47fadfd39414ddc654da7e3879

SHA1
9248c10cef8b54a1d8665dfc6067253b507b73ad

SHA256
b8112187525051bfade06cb678390d52c79555c960202cc5bbf5901fbc0853c5

SHA512
fa9cab60fadd13118bf8cb2005d186eb8fa43707cb983267a314116129371d1400b95d03fbf14dfdaba8266950a90224192e40555d910cf8a3afa4aaf4a8a32f

Download Submit
memory/3224-14086-0x0000000000990000-0x0000000000E42000-memory.dmp

Filesize
4.7MB

Download
memory/9080-15766-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15908-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15637-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15810-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15812-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15680-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15788-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15338-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15718-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15635-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15733-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15840-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15842-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15843-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15600-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15561-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15058-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15809-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15620-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15846-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15845-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9080-15844-0x000000006DE30000-0x000000006F171000-memory.dmp

Filesize
19.3MB

Download
memory/9108-15059-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/9108-15287-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/9804-14131-0x00007FFDC2A80000-0x00007FFDC2A81000-memory.dmp

Filesize
4KB

Download
memory/9804-14130-0x00007FFDC3100000-0x00007FFDC3101000-memory.dmp

Filesize
4KB

Download
memory/13244-15048-0x00000000042F0000-0x0000000004992000-memory.dmp

Filesize
6.6MB

Download
memory/13260-15286-0x00000000044F0000-0x0000000004B92000-memory.dmp

Filesize
6.6MB

Download
memory/19116-15744-0x00007FFDA17F0000-0x00007FFDA28A0000-memory.dmp

Filesize
16.7MB

Download
memory/19116-15743-0x00007FFDA2B30000-0x00007FFDA2DE6000-memory.dmp

Filesize
2.7MB

Download
memory/19116-15741-0x00007FF6A85D0000-0x00007FF6A86C8000-memory.dmp

Filesize
992KB

Download
memory/19116-15742-0x00007FFDB43D0000-0x00007FFDB4404000-memory.dmp

Filesize
208KB

Download
memory/19344-15784-0x00007FFD83750000-0x00007FFD83760000-memory.dmp

Filesize
64KB

Download
memory/19344-15749-0x00007FFD83750000-0x00007FFD83760000-memory.dmp

Filesize
64KB

Download
memory/19344-15745-0x00007FFD83750000-0x00007FFD83760000-memory.dmp

Filesize
64KB

Download
memory/19344-15746-0x00007FFD83750000-0x00007FFD83760000-memory.dmp

Filesize
64KB

Download
memory/19344-15747-0x00007FFD83750000-0x00007FFD83760000-memory.dmp

Filesize
64KB

Download
memory/19344-15748-0x00007FFD83750000-0x00007FFD83760000-memory.dmp

Filesize
64KB

Download
memory/19344-15750-0x00007FFD81530000-0x00007FFD81540000-memory.dmp

Filesize
64KB

Download
memory/19344-15751-0x00007FFD81530000-0x00007FFD81540000-memory.dmp

Filesize
64KB

Download
memory/19344-15785-0x00007FFD83750000-0x00007FFD83760000-memory.dmp

Filesize
64KB

Download
memory/19344-15787-0x00007FFD83750000-0x00007FFD83760000-memory.dmp

Filesize
64KB

Download
memory/19344-15786-0x00007FFD83750000-0x00007FFD83760000-memory.dmp

Filesize
64KB

Download
memory/20048-15791-0x000001D86B170000-0x000001D86B171000-memory.dmp

Filesize
4KB

Download
memory/20048-15790-0x000001D86B170000-0x000001D86B171000-memory.dmp

Filesize
4KB

Download
memory/20048-15789-0x000001D86B170000-0x000001D86B171000-memory.dmp

Filesize
4KB

Download
memory/20048-15801-0x000001D86B170000-0x000001D86B171000-memory.dmp

Filesize
4KB

Download
memory/20048-15795-0x000001D86B170000-0x000001D86B171000-memory.dmp

Filesize
4KB

Download
memory/20048-15800-0x000001D86B170000-0x000001D86B171000-memory.dmp

Filesize
4KB

Download
memory/20048-15796-0x000001D86B170000-0x000001D86B171000-memory.dmp

Filesize
4KB

Download
memory/20048-15797-0x000001D86B170000-0x000001D86B171000-memory.dmp

Filesize
4KB

Download
memory/20048-15798-0x000001D86B170000-0x000001D86B171000-memory.dmp

Filesize
4KB

Download
memory/20048-15799-0x000001D86B170000-0x000001D86B171000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads