hxxps://drive[.]google[.]com/drive/folders/13MtqH842HfaviwoeATHQo4_KEPy1fhuy

Analysis

max time kernel
899s
max time network
896s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-01-2025 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/13MtqH842HfaviwoeATHQo4_KEPy1fhuy

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
50	2076	chrome.exe

Executes dropped EXE 3 IoCs

pid	Process
832	winrar-x64-701.exe
4300	winrar-x64-701.exe
2144	winrar-x64-701.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133825821559920242"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Applications\winrar-x64-701.exe\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Downloads"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\NodeSlot = "5"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "7"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Applications\winrar-x64-701.exe\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\winrar-x64-701.exe\" \"%1\""	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\project riverside patrol server.gz:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3176	Winword.exe
3176	Winword.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4376	chrome.exe
4376	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe
664	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
3076	OpenWith.exe
3328	OpenWith.exe
1528	OpenWith.exe
1360	OpenWith.exe
1760	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
832	winrar-x64-701.exe
832	winrar-x64-701.exe
832	winrar-x64-701.exe
3076	OpenWith.exe
3076	OpenWith.exe
3076	OpenWith.exe
3076	OpenWith.exe
3076	OpenWith.exe
3076	OpenWith.exe
3076	OpenWith.exe
3076	OpenWith.exe
3076	OpenWith.exe
3076	OpenWith.exe
3076	OpenWith.exe
3076	OpenWith.exe
3328	OpenWith.exe
3328	OpenWith.exe
3328	OpenWith.exe
3328	OpenWith.exe
3328	OpenWith.exe
3328	OpenWith.exe
3328	OpenWith.exe
3328	OpenWith.exe
3328	OpenWith.exe
3328	OpenWith.exe
4300	winrar-x64-701.exe
4300	winrar-x64-701.exe
4300	winrar-x64-701.exe
1528	OpenWith.exe
1528	OpenWith.exe
1528	OpenWith.exe
1528	OpenWith.exe
1528	OpenWith.exe
1528	OpenWith.exe
1528	OpenWith.exe
1528	OpenWith.exe
1528	OpenWith.exe
2144	winrar-x64-701.exe
2144	winrar-x64-701.exe
2144	winrar-x64-701.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1360	OpenWith.exe
1760	OpenWith.exe
1760	OpenWith.exe
1760	OpenWith.exe
1760	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 2648	4376	chrome.exe	77
PID 4376 wrote to memory of 2648	4376	chrome.exe	77
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 732	4376	chrome.exe	78
PID 4376 wrote to memory of 2076	4376	chrome.exe	79
PID 4376 wrote to memory of 2076	4376	chrome.exe	79
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80
PID 4376 wrote to memory of 3312	4376	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/drive/folders/13MtqH842HfaviwoeATHQo4_KEPy1fhuy
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe9a0ccc40,0x7ffe9a0ccc4c,0x7ffe9a0ccc58
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2148 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4528,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4936,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5128,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4532,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4484,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5268,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5344,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3108 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5400,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5420,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1000 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1576
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6080,i,12448331227183803019,17261303337423534841,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4160

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4704

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3960

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\project riverside patrol server\" -ad -an -ai#7zMap13726:122:7zEvent13048
1⤵
PID:5000

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap15184:118:7zEvent20733
1⤵
PID:1132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3328
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe" "C:\Users\Admin\Desktop\project riverside patrol server"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4300

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\0a2a2b581aa84f028d35c7f46ee60757 /t 2608 /p 832
1⤵
PID:4400

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\0312b0e29e074f35b6a6c37193f7320e /t 2624 /p 4300
1⤵
PID:2488

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1528
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe" "C:\Users\Admin\Desktop\project riverside patrol server"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2144

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\b4892c3e90ff4436b6a81815ad24a74f /t 4312 /p 2144
1⤵
PID:2456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1760
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Desktop\project riverside patrol server"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\162fa437-a09d-48f8-85d9-967a1c65eee4.tmp

Filesize
10KB

MD5
b4ba5b94a0adcf572b32981b636bc1b3

SHA1
40d867b871e0890c65aaa41cfc33461b83882652

SHA256
979aeea6f14013421393d1b02d85c5cc9b3d64fea1ef5135a6076f47d7b4e606

SHA512
805d0dde4fe6b0d6c822c43495a65f6aeb5d046a865ba1d6fc656e386f11eeb4be3b589c9ed47639ff23769a5642ed898a3c0ca9b91de9381ed972f6011d60f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5dc973a4-3d60-45e7-b04f-2f75419da70c.tmp

Filesize
10KB

MD5
a79da201a6dbc9692b8a14cd74fc8e31

SHA1
7c6b6a86790227e7e4eecabf199e0f6c52715694

SHA256
18645ba980a2d96103ddd821c8e5597a26539a4256086514feb0a86c3c103c85

SHA512
ea34b94fdff140eb42cc229df413d1d4540c00ae04dba250f59eff1af695ac0423c2c5f31cecb151916d05e6f1f82f5f5aec3174dbe01e2bdbb3894b4d092743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1487c4264d43f44d3880a8f25e7b5010

SHA1
6ef23c69a60aa17dd94fcd27d0c221e6192ae0da

SHA256
ca3ced2428f3c198656d55c6e66a2d09e2d1cd6b47ac3c0f061a03a93534de7f

SHA512
80d394315322ba58d1e5959c9d9b86966dfde5a8c382df3497736187ef7a6306e86556de24fc02f7b5f1b81d6b48117021ab1d96b980d7029c56843097a0b18e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
bd7048373b95563bf72045c8817ea871

SHA1
5f9ae167afaa3f85719adc58dcf56bc1c6c9c10a

SHA256
9afe00e6a631bde855c2ddd312ac67f3629fc21da361a5d4067a75c49956c3f6

SHA512
5b0a94f83d85b079c068aa64caab2d129cff05d45de62b2dcbe6691bb8470804df430600f57e64987573c9820f22c467241bfb81bfcdcf909d3c4918e1aaa5f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
7eccaaaaabff8ab07d34f362d61c32f0

SHA1
2747b468816d779f672cc0b3c5533be5926bda48

SHA256
cf5437990afde778ebc43ba2585ea5dab358e091ffbde041eed1239361ba45f7

SHA512
51f2cbe2223fd27a1fd19ee3458cba0917cf72e9225917d9ad12d4be4c58be93e416d2e707af3da12f108307c3cdc5b717eeb7a11a7348a6c498301cc77f63b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
a2acce210bcc22189f0b9cf094d08fdb

SHA1
0d85e2c1a78979fc5e7e9e05276f5a650c2c1324

SHA256
7c440d9ff7e720db21293d5a5adcc0a9acd9ac2962b3d99a19cb85e24106f660

SHA512
87ea1225baf0cab7bd8d324b014c50ab42f9a3de35780a9803876bee8071eff259948c741e3b771447c2340a6d4634525fb61b703da7feaed4a0d49dc8a27334

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
b241ac3298faa64c0e870c395a4ba735

SHA1
43ef39fe661c85117721bad1543a2d3812a46955

SHA256
1a1bfbd381e147518f158fc78af4fe6860d31554a7c23b57b826599e4f9e59c6

SHA512
2affed08d55a843b584c2f5bb2e565582264ec02aa8db20b083bfaf72a5097fc49e98f15c5841525034f71f1b6c0efce27c35c4ab1f39e522a0455c2e7127ed0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d715833ea20247052a64a361170d7bca

SHA1
cba5923ac999059a11273c99e73e4be56b9fa945

SHA256
c6c09330d0c6caf34a74dbd48a57f8ada8c79ae5679870f6d97d469f2cecf1a1

SHA512
246fdd3e888cc74d77e2ed64332b68a6295839aa7b135520be2a53a28ba2b353331a0cb176869cf1f5335989aea73417d3e868e5ee4508cc88c1e760b49271cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1571e1a5a6b1ec33dd52ca30ddd8c1a9

SHA1
1eaf26b7bd6e91f4353a650292dcf0cc673ac12f

SHA256
d4fca684bfddcd33c935c2b9a34b2b81052bfeb05b1b026e05b3328fddb46201

SHA512
e960bad6400f9e45396232b03e17e98efd10c3f1e0255c0fa99966566df9220961f1dd6c6ec50268d29daf51a797b77310595f7a7ce347f279c87b15125268ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
db72744054d0a628cb68203152080576

SHA1
fe1869dc9890aa7b8c0f082afd8009ae97899277

SHA256
9c49c950b9f52dbec20dc13deee1228160a4081172a71bdd1dabde54c083d1b2

SHA512
d30106956e5734440c8c9b821784a9c60b05932cc9b61550d3d0351856674ba92d7602681ddd10d068655b7d904d98f9175c581ce455665863a001fb437451c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e34328f07d51add4963611fc6eec151a

SHA1
ad73cd1a066938a2d099a6c12a9b2fc72245f9ba

SHA256
0db976617318a439ad3c1215b6e37eb8d6691aaf036e4ca843098d48c9e5c685

SHA512
cde9e5432eac169c03edd1817f8a480177104540775bb80aafc2b06b87c2eec9abb0f2d013bba28935809dc70516c892705a394424e2883066e7322b84e5c25c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5ecc8bc143b00ef837e73811f0c36982

SHA1
9798ce4b9b84ec01d4482909cd38e1f8f4cd6c67

SHA256
5a20437b2d6349330ec51674d60f6507986db5624f30d4d6e32c07f683014567

SHA512
7d79b274f7e6121cd4641e5a927be400139da5381fc744d0ab64858d335e0ae5d1cfb9e2ec4d15a6f5c1b2f44c4026d1224a324c0bbd3e57949dbb641155efcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
73f0410269e72506305879a52d5f551c

SHA1
13efa2143e27df463bb6791d1b3154bbaa6d3d94

SHA256
98de827cf0233b9e2b442d58ebdee1c06688ba89d86dddcbac824c1b5fd98bb4

SHA512
16caac06bb992e66a47215829281b9d459111e7f22441491ea47b2e84f48b6cbc1f132c4b545f8d42c13ceff5bba84372f2784e09605fb797998ee9d1e90dea7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
384220bb4117066a9227a90dba672542

SHA1
405c24cab651c652550724db761311dec4d9ba68

SHA256
0c28d47acf2366a9754eb7e6a648e7b10babcce2463d670be8e939c67f3f2dcd

SHA512
b499ecd95ee62f70d9400896c646f6f1abf24ba9e15b737ca47597bc429058b7ec69f7328b8f59fd674c6884b0f3872f9cb20cd4297ff53e5ba1d5969fc4104f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2ebe7fbe327b29b63ae36f8c21761b9b

SHA1
5fdcc279daa9979ae96a7a2112d8324c0eeb342b

SHA256
704e026442696f9674361961fdac13b989fd92f0842a3c3309cbf446f3a65569

SHA512
2e8f0810f9b210678f7c7d1d507fb870a2993017b1e50f3f3254d29a365023548fe3c205edf0830c6692efa2b48e3c67f3ba160829b41ca4247d5dd8ce71d3d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e775104fe49202c9ff8494a30309804f

SHA1
ae5343a0c717df42528e3f9446bb60b1beb9ba7c

SHA256
b3c20ab27413a751fa1dc2aa043f0af3d19ab483a61ffe918c384c4e58b5b378

SHA512
726d9c0bbe98a4c0da43bc916f56dbabf453c0f9e888f12393f593d9a960c891c35f6b2951e1b21ea2f3d2fc41763f03333b928b11b1204885e6525c7edab7c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
951cc58b2180a3cf5de7ac52afac818e

SHA1
0f7f48bec790855338dbaaba9935706cb55f480c

SHA256
fa723319e773651e83ceb36845565d9da97e57ef2a4101f3d29181a33f21b11b

SHA512
3c25cc9bc117611478e2da16f95839809ccc58bc1b226aa1c037a6adc8949596278784364b3415ecd19044ee9c2e576735a9e6749cc887e8c0c270cfd58d375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
80f096d1a0f5e8342282a862f17cadcf

SHA1
207dd9903205018b75332af911ddd7cadd534d3a

SHA256
cd7c7d2876a4a336fc873a3c910e8d0aa19a4d78dbf732a0f25f794401aff209

SHA512
38d54d81ac7713c5335696079b4a679b3b45ca06f528dd6c831ed3927451cdedb04113803a9559b8867a7cd07eefda01698721c4461c045fe1d225d3bf51088f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5f4b5a5375da64aa1a387e27004a4a25

SHA1
d96d80e33d279def9fa2c10cdc65640895a988c6

SHA256
f29d5b493e60c7da5ef768dc686f5c7fb799ad400004cec255c632eef2a675b6

SHA512
85cd8324df37f5e3d77e57f925b110200e7941fad75d43bc482f9ad0185c81fd87daf8ece10ad5b18efd6ec4db1e62ec162828d549e05b37c59d903029ac6957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
64255a457319946919dc6980c79e6fb4

SHA1
8fabcd97161c4ddadf124e0e5ce0a75dc0f713a4

SHA256
21803795c73cbbef1f43bbdaf0546742df01d832475703ae2f90d80029a95ed1

SHA512
01b6cbde2a7849457dd5b470f23db8670abfda27db2a091e32ab0eaf11ec6764fe7d798e653570fac921dbb074678820c7f06f47c6c42902b57dba063f0eb844

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4fe3cf156d176dda5b635703751d0aa4

SHA1
7f6e6ec4b5928b6648fb7b7fa384fd380c7947e2

SHA256
125e10c9cc6b549ce63ef350ec47a8e31b96ab739cebd304ef09240371b35665

SHA512
b52cffea841387aa1208dc8a306f7bd327633544c64f57cb770682c9def616be35aa8b1d2418d19555e93c81af084c5b8df7e7ba71d795db08ee98312b8bac27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b4f2493374e4c36f0d4a8bf265446b28

SHA1
da0cd3b1563ae8520329946b71b0730fb2823c67

SHA256
ab7148915108db6b89fc4283a3e1ea9b1ded51987bfccb475734039fcaa6350b

SHA512
cf0359d0b209d721fb66231603e8f39deee0cf0323fc2ac00e72a7e4f74dc0e74b06ad0720d8d6a21f9675556983fbc985d2271b40de3bcb0f77beeaa4707e6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fcb3597f2d27ddbd1b57799be633aee2

SHA1
6b62a1c2b911034b99a5406a76689fec383d806b

SHA256
b729f5afd446134686e8438867cb23fb08979afe0d8558cc7c0fefffafe85b0f

SHA512
dcbee2b4021c805a5eb2eaec06186f3e54b079f9f678ca56e161a28b40dddbd84af59d65929c143a94a7070678d34cdf2c5057f67ca8322fc919282bfe60c11d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c1e2d43ebfc11b40c4db69249de3b54d

SHA1
82498ab46cf462fbd6c78084de194a9e2197d6c3

SHA256
b8683f707b0bd2a759cc86ae665b649a5d1de341df506b411b7b159d724df169

SHA512
16b7c3f5b2c51df9c6de7e49be897ac68e91ba312a2e7f8911e86b3c8aec66da1e546c04359f82587cb934a833a69f6bb007b05193f81140bf8015e686e32c3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2f27fad9f8880f719827807b54a86581

SHA1
c2652318cb757db6e2f10713531f024e1d80e93e

SHA256
96394392610bc13a5243e48ad97b7b5bbaf6ab1ab29101c069919e85b247a4fd

SHA512
9256672c55de8d201d71ea0a6869048e0a68311c3d6f65b0f2e2bbfcf543542de3c5bc98a89212dea226fe1ea3caf301200fb8e89b6a72810a7b6d02db3262e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fed26344eb6fe81eb0e3c8f2e598ca09

SHA1
3b7d196d514c58261f33815d76df36ebe9a615b6

SHA256
e617e22e6f80b886b175bb3bdb15f5b7e45a459c51e9426b0f93266bf87ab30a

SHA512
875c38540f8e85329db6d9e96682e69429100a55cf12a62ff3f76c16737c087292ffb4362327391673f9a234ce92f4d82a0266f87ada7a7de470f9ccb5503e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f12c754d9dc3293c93fe7c4d1360ef0e

SHA1
26d8438292a88fc247cfa7c8afe1e882c0e799f7

SHA256
1f357e5e1a8c462c636612545e808ae816b68db8fcb98a05fadc5a78e7ea23c3

SHA512
221c494779f2d18a780f3f84a3b5a448aae7a451da7f18577813d961a822557710a1fe921988eb981bfd1222c552fd3492b467b10abb8bb90ca6164bab303a3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0ead1ecc6f92e0a1b85367af119f313f

SHA1
c8e173e6b7f71d44bf06ab2435e8af2d001cac0e

SHA256
8f7093952b7a014275cfcdb11344cdcac53533c0e7911cb70a57e376f54baf51

SHA512
1e5907ca44b88101d5fa03b6800c2186008bd8a2558a7cea5bc670f904dafe027bee836cf63414bc6e520380313acfb89ccf6919750dfbb6ae7363a236340f20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
14851368b59eee66c366c1c7d8751145

SHA1
11d0f0f1e00fdc580315809083e7fe4d5e1a17cf

SHA256
30d14f1f35ceb536adb47cf55f2f66357ce91739b740e9a401a39f9626507c81

SHA512
0ad8262641b8ba50704329a52e14113b311d0409fa101ad800cdfbb01a6ce3f54a7d394a2392b5b24e057ed6b2057d16206099373a37940a42530efd964809d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3d17cd9d124fe00495b79f10dedb39b5

SHA1
29808ea98057a58e2be1be66c40aa854cc402fa3

SHA256
f044a5c8510242131c8e8e96b7746570881a3f395b78281c6577eff0e830bb61

SHA512
58abbdb4661384c69398bc3086c7cde03668ff7f093e399e14f2f15139bb6836deeca73667cbace5a7efcc287d61d58144dafbf2ea11ad350131c262fd85f8cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6f99e1111594201330f6559d03a40346

SHA1
3ca4075ff5304e62fce99be5e858161e86e6a595

SHA256
8e5e34a88611593a6d77b350bcf626fbf567814a1cd0aec1e9724aa4126cb3d4

SHA512
3013ea3a81b157b197abf386b34d82e80568e4782e052d35642f716770ac9f9ca098f7347aca44144190cb6a6388d464aaf459460ad85ba0b1f7bff86fe6fb5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
16661eca3e7d6a3c3b0ef544b0cbdccf

SHA1
0ab2a407cfa2420ade85fe149036b942daa5704b

SHA256
a0d42807ccb80f00f2212a5f23256860775a3468b6d0021a8321502c72b9b9a0

SHA512
a4d1e1be3eca86dc867ffeff755b6f4c9f693ef52787a804adde5fa7b686a463b2c2c007d6ad8880c6576cd9bc5cace5f5a976131de9d27441df240f8170e3a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
91a7c3d7c4c26ba1674492950f985192

SHA1
418c6bc591eb3606bf6c26392da06880095e8d49

SHA256
3d90b6aca46560432c80c9275ff31335888976020c45a37acf342ae249a3b0c2

SHA512
5229fb96221555f21605f93e8d091f21db59134d8761302f7243ded55449a819374bb94c1ea23cda842eebf54a5f3a5dc53f798d723fb3f7eaeb4d5b7c573fa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4d90797912cf1a16aa2fcff6491bdeaa

SHA1
1daac47ff7153ad71b3d763a96bc675d2eac2554

SHA256
63fbf425ca5765288d88b38223be559c1e2b856e95942f2dfbf7d15f03e91ec8

SHA512
f504970453ae4fdd20ba76bfe906f65058b7b491a05d79973652a675a80970bd7a01219d64c603e42d85b2479dac2e4d1ffe35779c25ab6fb6f7ca0f07f77420

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3a96bb64f99450c67c14edc700fc3275

SHA1
14235a39c9619845a274f24706941e2c4ba1a244

SHA256
4cb765d3a257fbe4be16dd8335fae659bb32805d8e44e4bee178835e6e545348

SHA512
8a3b625543d48fb2d7c71ce3d8ccbeac1ea6a984c0095648096ab44187de0e4bfd1a36c21591e8db2b548f8d6b63150b86689deb42ae78787dd2906b63d7b155

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0d2ccfa511ea00550db6e4d9ddf80a18

SHA1
eb7f243f8e1e2b7eae5a387804953c5e3bcddaab

SHA256
0ae96bc85428ebb17a4936538771cc9d3b86ec8738af036a9d36c82c816fd6c9

SHA512
a0d7cb93e9d1221f23edc1162c9dde99a5188a82d80a62790510384bbe141db6f22b1c798d22f1e74296eda3bdfdbc841f274012defa8e9491b5e75340fbce6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
655974ad6220e47368046048e7cc1c5c

SHA1
5077559fbed94a5e620790827b5a4c62fbe81268

SHA256
dc6fbd7e473455135ca3c093b8f2e7b60ee90cbcdbe97549ed6bde2b88be05e5

SHA512
5bb66ab7f303f0d562fa8b7183f83faaf88e366717aaf43bfc6f6b95e04f13ce389f9294fea620c2d7cf372073f55fc333f66ac8a67c0625516abbb1e912bc03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d01bb5e37b3713400eed00d4c0aeace2

SHA1
8a60a0b39ca22008be4c872f5664f249de452aa2

SHA256
2fb7ad62e0fdb2fbb64b4c62c33127c39842986bab288bb918fddc2e84ad8f16

SHA512
688f95cf6e6386b01feb7caab9907d8412724fca1682be2db7f998d4105671ad888aa2811d8388de44372e9415878c0875028c762e85adf3cd30106397e5aac6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6563d3303e3d4332bb8b6ac9ff03e845

SHA1
c93df5d07d6bb2bb16a16154a110d7f6c0c4e70f

SHA256
fce1c6c5db5193b255b6167c64c5c9979c93bfd8604cc84c390cb67dabc81fc2

SHA512
6a69e5727bfede227bf6a78fd0f49ab240212fdd3e95221bef1b78de6235c8288dbf6de2123e884690093993d045391453f0fb616241ccef6a8be845cb2c3ab2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1e0dac73b3d4a1ea7a22ec17ef907b33

SHA1
3afbc52449945c3061c2715483182c619a8a63d9

SHA256
624a1fe2c74fcce9dee5f9c9ee6dd608c100b1a7b4d7a376414cdb3d65a02f99

SHA512
6d0ae37aca9d21b6a6d8e2468e9ba6e03120a87e08bf756869c6ea9518b352b2e3884a3fd0f33ffa5246f998accb5169ba65612bd6899d1390e2ac6345aa609c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0963389c567905bcb6bdc90b72230939

SHA1
69992eea11c3b5840af26202eca06be33514b90c

SHA256
41b825d37f79d36c0d6c3d71d71cf7ee836519e50bc509252bdddd3de812943b

SHA512
46093e67c3b693d2a0167d863447d457561c088ae17457d4c63c07e76efa196ad8b727b954af01ce02bd4723452836cc4b76833df68b85d71f924255575a71dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
939da972732f5fc85910981e7e427f57

SHA1
82561a68902627764069bc0c80879ae97ee25be8

SHA256
170018a29a1708ba3f7f7214d3faf91e0003454132537da62a6946ffd4437085

SHA512
306bfacd245426cb3e62d7059cefdbe65ae181adb6c86d72a89ace98678af80b326535f7faf51f610951064dddce0e5a3a3c6118347e9dcf15a7dc03413118fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3a247bdaa3ab7a3d7a4b5f1c8a92544e

SHA1
19650bc285de1aade484fbe7801ada798c50346b

SHA256
7e27d9c1fab55f9d9ef6725b7befb96759807eb4ac79ec8903784f1c8d81af7b

SHA512
a193e03d4dbeb908c999185efd9459b3a2c3db7c66aaff9df19efbf8ed68a7d434dc9f3e96609c7251f3e2136195b6be578b268d1536544fe1afe75e911f7fe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5112d5eaccee110bb8e3b4d0fc241fa6

SHA1
fff3cb93a59f6f1cb7eca895c5422899ffacb7e8

SHA256
f57da8cdcde8442f8c946a40ec5cba03b3f09899c6e24354050675f56e4974df

SHA512
8631bdbeb9838c638e6b4d4066dbfe5d6d163517328ff3a6d8b6d6b6c58715b5d5b9762cb924819aa121cfb122ce197801045494ea3a8d47d4f9e792d7b7bbbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1dd2fc3ddf1616513670befc2d2135ba

SHA1
3e8d461371dfc0b06192273428c63b56ab0352ff

SHA256
cf322a1fb155f3ad2c83b949641b693f98ab86bcc5f2101ea596893e24d708d1

SHA512
111eb24a91116565282d3f3926b05df5c2b6a1e4974c711900b6f35a75cc50e41eb6ecdc772807cfe8be26067cf856c0d812c0299ace160f130c274c32ebe1d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d4671b65d6d6efca8fef4d0fb1f759bd

SHA1
8ebfba442e39702f271cd6eaa39a481162808919

SHA256
6b84e8575b2efa08bb4e16c45b46d079affc5d27c6e12795b3af26aaa12618ee

SHA512
87bd540b60be32e6f31b4aff2f1ead05dd11ae367d5dfa76d978cf49328e9e5d12c59b4ad362dc49354d65eed948653577d05de0582098989b93aaed6a7967e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1041b696ae2282b72e42bc0e0f507d74

SHA1
6f03aea3f680a375be5e7ce1134140172ed67347

SHA256
da1bd93cc4c7b6a152a1058db9acb2810f2fd6c40a2006d055bc60bc9b502507

SHA512
0db75af4967aa4de1437a303507f9be5956e33c53245da4dcb4f9d95200cda3a4ad7eb5c369939fec27b9e4751ae4a5a86e15d1be357e64db9666066e96f7289

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
44ae5733d4acb7213ed4faaaea68bc7c

SHA1
69333859d1240204a9a4be3535c0c6cd6f5c0c39

SHA256
b878879d03f834a5bccc780980cdecc1bf4cd17d90bb80a319f7d74e9c7ac8c8

SHA512
caee195cd6980f5e9afe946295f16777231da19dc61f38c2c75b50e15af650937eb2a22efcad95041b0e6af9930d5ed6b60dca895397276e09e68ed89e7b9bfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a7d9f0d02da4ee46e178ed490c5f2c17

SHA1
30cac1dc2e1d6360d225e15d4f61c08cdd9c020f

SHA256
0dcd35f8bdd470f7315d7f3c5f033019fdb7dd85185bc8cc8b9cc8c326bdaa31

SHA512
e326949ac88f9ab41c644c59890185ad3cb0859ebaa5bfca6d753baabeac18ada5a49a500a54b59ae28ac420fe9ad3e83825dd8e59a434d3f439a1116a93e513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b63806672d3742165d6e19aaebed0214

SHA1
5739cce1675b0a72f9bd5ff09fe029891496f90f

SHA256
099f3c931df56b5e0c11081e8ac3dbd5e89286859aafb6fb943556234af6d497

SHA512
e7eeb99da95329d3a5cff0eee3fd608ba6eb1342ec47191fe5b417d301affa150895b0a5d0be2b9a4c738b43a7c1dab234302fb7807a5e898232082ff9b6a6f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
43dc1b86dc1d438ea0b11b6539152296

SHA1
a03155f1da7a2903b5af85ff4ccc956a84a95bc1

SHA256
0bb318108338178086d41a2487eba47b48613e6ba5bc76a5b0c77d2e54a1d13f

SHA512
9ef446fd97d7b818157dbe177ec42e11f81ceb45bc915e1a68f60691def04db7d0dce09de83e17a849049c60d4c9f5c1357262094c5cbe33c1f3bee413630ac3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1d321a5c801c95b4790ed87536faf9ae

SHA1
c308985a92489ed1d458fb79b71521234335f73a

SHA256
01f8671b24ae61a42b172b4a60af185e11a4c47dfe756aba68414d648850ba7c

SHA512
a7a13629bd8440005e7fa3b1268180c9b1b4354ef9751e63678079e509d414540a443adf22656942fa31b7f37f50a414c0050cfce647212dccafc8067f83a6dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b33ffd9d9e977cd24648cf20ed705200

SHA1
b9f5bb685a3b6796f9a4ea1bf2cd4aef4cb2c961

SHA256
330720cbdd08e121934b2c6c549db6fede295123b0b3ab6df468a7cd0b212584

SHA512
6180b1207774ee2a699823f433070477b571b0d2a65f5e0544f0a35a086d879ec5112df5de94ab8c5a9262a543dc963077defac581877e70e16b202b9d5973f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
102a415373aedac4bcb191799f96fc22

SHA1
812ee9e20f9c25558b88ca5efbba4972b8def095

SHA256
7b45f251f2d688f0bdbc30debd0f1340e9f8772e82e6bdbf4e74d0cbc0d72c3e

SHA512
31d3f133ef3a4cac0ec02f7ec17a43437883f8e22b3649fe7b47336ba2a6f4bf9591392afefd3c53a30fd641dae40ec27d66e2e96630b1efb86f3f8e37eb16d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
51a7a2598bd7361c860dfd676beeb6d6

SHA1
ecf498cc5b384a86c06993f033582a06da8e5a15

SHA256
48576784d89753e502a71aa8b5e606ce39e417ad23dd3d2f4bfe4853cb0f8470

SHA512
9d7a461490ce2e9cceb9c51568496dbd2893436feba77998f8931e55cf2d52ae6b699ab6eba36c5791e8509f527916423c0e7918029be7f71c8bca4b13f8b210

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8b70fb4a89b73b280b43ef3b1cf514ff

SHA1
6870c01468d6d4cc951fdab5c2faf3d3a9d06355

SHA256
847706958027c6bbe536b434721f38cb8c60bb1e4db1a304f7532a86c6c5b9bb

SHA512
87be2d3e1b6ca2046eff93a0081b6386b6a3a27f23708a251eabc215fe54aadc162c13f97c45cc33bd7d01a8ac91ee472342c78cc753375cfaa1c2c9b968d84c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
47e6bdf802212c7f6a7ac27a38cda6e2

SHA1
4499eb013513632a51203a6f88d4c50194b376eb

SHA256
6cf544296cb35bc6164c36a4e9574f26ec87e27c2c1c8510c6195e669729eb08

SHA512
11f6220dbc1f523a0a02d0dd94b4d06da738e0a4b9222d4fcd35b534b1938269c1aa9e459267af93101407ae68fb7465a5c309b3868444263086dc216396097f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\16.png

Filesize
566B

MD5
b3b099003f605d552145790cf1b71e00

SHA1
6dc54b1268536935e9ac96a27c34c03aa1a1eccb

SHA256
1d1113f78a60a4702db32f106598883cb864cd273a708ee292dd6003e3cc8d4b

SHA512
d078de028160ea917c24ccbda0b74a8374a2153c7bd1f5a108710b102d64f0ffdc57caefe2979153a8d42d2e8d7a85089680bfae9f4facaaf048d8d93494d5f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4376_15318895\Icons\128.png

Filesize
7KB

MD5
8eec20e27dd654525e8f611ffcab2802

SHA1
557ba23b84213121f7746d013b91fe6c1fc0d52a

SHA256
dc4598a0e6de95fae32161fd8d4794d8ee3233ab31ba5818dfbe57f4f2253103

SHA512
b19d628a7d92a6ec026e972f690bf60f45cbab18fc3e6ab54a379d8f338da95e2964ecdc5e2bb76713f5d3ab2ced96766921e3b517036e832148d1fe5fe8aa6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
43dc339b722f828b1e00d878fe4b6fd7

SHA1
06854cab60ef1f2aacef48511b1d5d5c6a909aef

SHA256
8bd4f0a8174015873993a5b491207e009219e0c936534df1840a6617e47f8ed4

SHA512
62e107a63924f2d821eeaa9a5e2b816f90a3b1743527bc75a23591aef94c6fcbfa23863fcdda20138997f23ade976598fcbd76c9b6703740938d72395cc07876

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
1ebe83c01fcdcae8f8bfe8850dedf30d

SHA1
bdf1cc6957a8e01f2e8c3960f244af5b2b303ffa

SHA256
cfcca9fd10c44736ee72d41de1e805e642a3906cc25c155cb5fe74d2112ea55f

SHA512
6b113ceecaf4919c98fce53116be2f683e092fe673938be4e5d916bb59d536f57d5378d0d2dddb9ddb8cc099c10186ac8f54c836e2fbd911bb32d72df5534d4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
788680b0dcf99eb22da2dda85201ac08

SHA1
1430a6fd2b454f31cbef84b7737034f689ceadfb

SHA256
9b33b3e3491d45bdd22e8897f50d7af69df1fde80972d5f60a583ab7d221b407

SHA512
ba00b6426e3910810a5375e86e51bd10c25b6be7269962e17777f949d6bc3aa1c7b252bc62141688267564e0f5050da8536032c66bcecda6062dfcbce5f8807e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\49a518d3-867e-4b42-9cab-f65e3f344716.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDD005.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/3176-631-0x00007FFE68E90000-0x00007FFE68EA0000-memory.dmp

Filesize
64KB

Download
memory/3176-628-0x00007FFE68E90000-0x00007FFE68EA0000-memory.dmp

Filesize
64KB

Download
memory/3176-629-0x00007FFE68E90000-0x00007FFE68EA0000-memory.dmp

Filesize
64KB

Download
memory/3176-627-0x00007FFE68E90000-0x00007FFE68EA0000-memory.dmp

Filesize
64KB

Download
memory/3176-630-0x00007FFE68E90000-0x00007FFE68EA0000-memory.dmp

Filesize
64KB

Download
memory/3176-632-0x00007FFE678C0000-0x00007FFE678D0000-memory.dmp

Filesize
64KB

Download
memory/3176-633-0x00007FFE678C0000-0x00007FFE678D0000-memory.dmp

Filesize
64KB

Download