Analysis Overview
Threat Level: Known bad
The file https://github.com/Da2dalus/The-MALWARE-Repo was found to be: Known bad.
Malicious Activity Summary
Dharma
Dharma family
Renames multiple (666) files with added filename extension
Deletes shadow copies
Downloads MZ/PE file
Office macro that triggers on suspicious action
Reads user/profile data of web browsers
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Credentials from Password Stores: Windows Credential Manager
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Adds Run key to start application
Drops file in System32 directory
Subvert Trust Controls: Mark-of-the-Web Bypass
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Browser Information Discovery
System Location Discovery: System Language Discovery
NTFS ADS
Enumerates system info in registry
Uses Volume Shadow Copy WMI provider
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Checks processor information in registry
Uses Task Scheduler COM API
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Interacts with shadow copies
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-28 03:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-28 03:08
Reported
2025-02-28 03:11
Platform
win10ltsc2021-20250217-en
Max time kernel
176s
Max time network
175s
Command Line
Signatures
Dharma
Dharma family
Deletes shadow copies
Renames multiple (666) files with added filename extension
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Mabezat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Mabezat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-3452737631-513087862-588053281-1000\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-3452737631-513087862-588053281-1000\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\CoronaVirus.exe | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Windows\System32\Info.hta | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hr.pak.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\jawt.dll.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\yo.txt | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-down.svg.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Fingerprinting | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.resources.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\precomplete.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\msjet.xsl.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationProvider.resources.dll.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\excel.exe.manifest.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsFormsIntegration.resources.dll.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUB.TTF.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\PREVIEW.GIF | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\ui-strings.js.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ar.pak.DATA.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_replace_signer_18.svg.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\ui-strings.js.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\ui-strings.js | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.DLL.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Linq.Resources.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-math-l1-1-0.dll.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-process-l1-1-0.dll.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Design.Resources.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Confirmation2x.png.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lb.pak.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\MSFT_PackageManagement.schema.mfl.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\en-US\wmlaunch.exe.mui | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.id-0B90E7CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{AA52FC6D-7A2F-4476-ADE9-5A5477DF6A64}\8tr.exe:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Mabezat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133851857070954127" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{AA52FC6D-7A2F-4476-ADE9-5A5477DF6A64}\8tr.exe:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffa9b2dcc40,0x7ffa9b2dcc4c,0x7ffa9b2dcc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1988,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1984 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1844,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2072 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2300 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3180 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3204 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4012,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4632 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4884,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4912 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5168,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5208 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5196,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5256 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5216,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5488 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5232,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5652 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5240,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5528 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5500,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4636 /prefetch:8
C:\Users\Admin\Downloads\Mabezat.exe
"C:\Users\Admin\Downloads\Mabezat.exe"
C:\Users\Admin\Downloads\Mabezat.exe
"C:\Users\Admin\Downloads\Mabezat.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5472,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5696 /prefetch:8
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa.doc" /o ""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5780,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5664 /prefetch:8
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3804,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=840 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5732,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5708 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3436,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5308 /prefetch:8
C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5212,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5676 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5248,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5508 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4320,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5884 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=840,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5272 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5312,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5784 /prefetch:1
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1084,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3796 /prefetch:8
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\7bb109a1bd374badaa3574f2d6d7381f /t 7592 /p 7604
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\b33bfe593f924e29953937e0f96e033d /t 35584 /p 35580
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.109.133:443 | user-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 216.58.201.106:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 216.58.201.106:443 | content-autofill.googleapis.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.32.7:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 2.18.66.59:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.136:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.42:443 | ogads-pa.googleapis.com | udp |
| GB | 216.58.204.78:443 | apis.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | dns-tunnel-check.googlezip.net | udp |
| US | 8.8.8.8:53 | tunnel.googlezip.net | udp |
| US | 216.239.34.157:443 | tunnel.googlezip.net | tcp |
| GB | 142.250.200.42:443 | ogads-pa.googleapis.com | tcp |
| GB | 142.250.200.42:443 | ogads-pa.googleapis.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.200.46:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | encrypted-vtbn0.gstatic.com | udp |
| GB | 216.58.213.14:443 | encrypted-vtbn0.gstatic.com | tcp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.36.55:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| CN | 142.250.197.3:443 | beacons.gcp.gvt2.com | tcp |
| CN | 142.250.197.3:443 | beacons.gcp.gvt2.com | tcp |
| CN | 142.250.197.3:443 | beacons.gcp.gvt2.com | tcp |
| CN | 142.250.197.3:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 13.87.96.169:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | apprep.smartscreen.microsoft.com | udp |
| GB | 172.165.69.228:443 | apprep.smartscreen.microsoft.com | tcp |
Files
\??\pipe\crashpad_1480_NZXWZNTCCYTQKMTY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | d3924dc3a7ea206d73932d63f8e78bfb |
| SHA1 | e59630ded59c7e977df5933018aab33a4a95fc64 |
| SHA256 | 2471770471c535777fa588b7f54876cccd9cf839b7b9574b17cf7b197e498b16 |
| SHA512 | 819c7e67bec0a9098554ca8cd5519859350b73163cacbfb70d92ad5289f7336de709090e2420a4dfa7bcfcd3f7eb4954aac9aefdc92ede696b044156286d0597 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 8cc8617b77275282c712cf74209fd64c |
| SHA1 | c02d45fdcec1c1af65a246d1c605d69493098604 |
| SHA256 | 8f7f55428427163508751bc13879f262bb740e28b7169c111dd643f71395be26 |
| SHA512 | e1225ca7fab224cd0ab93f081a506b08ea620822f3b184f1956cddedda080c902c3cc6b7bf61d1e0227e6270ac221d96bea4c8740693f284f8e2ad35dc7c8c93 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6c1f9452c8a1ae5cbb1c61ad7ac5851b |
| SHA1 | c86078952babaf3adefd69a532072edde4895d8a |
| SHA256 | be49c5f75431436627a82086a8ee1c9c70919de8a5849522c6af9de62ac6edfd |
| SHA512 | 5b319b4819edaab4c37a17883735dc95b504abf0b94a5e9f3371b1d8b0e904e8200cb442bc6588934cfd325d3538fa92acda3d36b52848ed826466764489dc47 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d2b07f38bb0326227441fecfbba36cc7 |
| SHA1 | 986ca083e1badc41fe10c5ce795f5ee3ac0c3c0c |
| SHA256 | 406e8e2bc6111d820d16c54dee7c15122d846fc712643feb2a4375e5f886c320 |
| SHA512 | 9ca28e15a6a43734949c365161c767276d68ec1d69ee6701e688e9ef6041dbac716644c330705143b8bcee44e4d34085c32dcae64277a2743e49938fda6a4f5e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 95b622049bec41b9c48480b60439a32b |
| SHA1 | 5a6552376931164b470d6a4c2e29a315327b8a4e |
| SHA256 | 524b52be4d7734838b4ef2632b8d6742788475e17f5b74b8025482bdd384ae56 |
| SHA512 | 6196fff128d0aaac087b361b403cde96f86fb64b7aec385a12893108a9e50f446db10c2ed4dd1205a920287c5b56cb39856f6f15c9991895237f25f443caf187 |
C:\Users\Admin\Downloads\Unconfirmed 843811.crdownload
| MD5 | de8d08a3018dfe8fd04ed525d30bb612 |
| SHA1 | a65d97c20e777d04fb4f3c465b82e8c456edba24 |
| SHA256 | 2ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb |
| SHA512 | cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | b1dce97b4447293f81750a75ca34d962 |
| SHA1 | 7bdc19ed16c63c4d02e40b0d269bdf4688753af3 |
| SHA256 | f5a19918dfedd2c5c201cc6025d11d44cc8a47705a6fbcf8f28e6e0558d5252d |
| SHA512 | b862831ee92aa3e55cbd7b4e398b7b4a376e891d69cc5099ede997e387419b7420458086b2fb4e215390a87980a5c1381dc2078eba1a5b4cded979ad42b050bf |
memory/2608-239-0x0000000001000000-0x0000000001026000-memory.dmp
memory/2608-241-0x0000000001000000-0x0000000001026000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0cb60179ba5e8960f93d68b592e8cc63 |
| SHA1 | 8b4a7af127e15966dc92db48056c08acbbe173aa |
| SHA256 | d2d9555759581565c0e7e0dca1d2beb5b66510cbe579d3e48c1f2b3e0dfced6a |
| SHA512 | 38d5b3bd9d458683c1001aef8f602284c4877a1d5f7a83d2a6b74d185dbe2260c1058058bcf3d29d78ae673c3826821117f614b2694888be037d20a85804929c |
memory/3748-252-0x0000000001000000-0x0000000001026000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 32cba240465f2413d5128b8dca0fff28 |
| SHA1 | 8b310008ef524c39d524e4514c72f7803cf63db9 |
| SHA256 | fa927660e5671c4f8af068aa04e305641b5e68630a38c30ccfad518aa5c20ddf |
| SHA512 | f9a9bde7ad1b54ab4372b569bed90d48272c1e43f10010fab007bd352acbb5cb0ebcda8885f8ab8d1833791121597984c88ac231620fe573e093f4edca1d9976 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f102c63b71351fb71508f9e018c39f84 |
| SHA1 | 55c9a92f5b64aeaeb221057c897341bdce3bdc11 |
| SHA256 | 48580f44554246d5765cecd564e4260a88f3d3936c8bd5c3ab13b51bfce8df15 |
| SHA512 | b4f1f453d5aacf09f39c80a5e6a9806e845ebc179bc5637e1daeed55f36ac3e0d66df5d6524dc1488989087a1c4b91fe43d4fb39472351b3a2b44b8f707d7cb3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d0fcfdd42d7976ec4845fb6aa8459264 |
| SHA1 | c634012bb156e3c3ff91549d6e140b990e9199c4 |
| SHA256 | a41beaef8be4faa775d60fb2ab109c43f9999ccf36abbfbffd7b77a86ea76fdc |
| SHA512 | 9c1b3fa98723f602f3c717dbb7a2c82252b92ffdfaf878040d2555fcbb8f78c2f518c4234aa89138d37559654fb14554e0d285c5a97e08eb39cf7d50f9bd1769 |
C:\Users\Admin\Downloads\Melissa.doc.crdownload
| MD5 | 4b68fdec8e89b3983ceb5190a2924003 |
| SHA1 | 45588547dc335d87ea5768512b9f3fc72ffd84a3 |
| SHA256 | 554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca |
| SHA512 | b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f |
memory/1180-294-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp
memory/1180-297-0x00007FFAAAD6D000-0x00007FFAAAD6E000-memory.dmp
memory/1180-299-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp
memory/1180-298-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp
memory/1180-296-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp
memory/1180-295-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp
memory/1180-303-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-307-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-306-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-305-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-304-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-302-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-301-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-300-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-308-0x00007FFA6A340000-0x00007FFA6A350000-memory.dmp
memory/1180-309-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-313-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-314-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-316-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-315-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-312-0x00007FFA6A340000-0x00007FFA6A350000-memory.dmp
memory/1180-311-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-310-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | c0cd6e320640612520566f8d00a844e2 |
| SHA1 | 5b3614330b3c599f73d6d3a180f5117ba8a014ef |
| SHA256 | 410a3c0481aee7626645f122e671943622273df21e2b32ec26e7e14258dc829d |
| SHA512 | 9190ea5e5c81410e5c1b70afff02a1500577a758c3dcc28b350939a801d5244cff55e80c7981648ad35f3329bbf55882d0b14e54bfbcf7e4c8dd8ec53a7c40cd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b17afad9c04c51e82221d585d44099b2 |
| SHA1 | aae7932893fd6268afa15e113896713115d9a11e |
| SHA256 | 190c57f26b65154083000b40ecc239ed007075b9f7f258b3b4bf7f183a934ddd |
| SHA512 | 205be6e9ca8642d84b8d930fd2e85b8bc423b8c84939e0beb1f50d9134d7b97cf5fb8053e6ec8be90c71e242cc7040248b6a5794fc16fc5af8bf062a53a0a738 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 1e2a40cc8251bd19e19a2223cf3393ca |
| SHA1 | 66059d691d39e65aedd8fd95355c881d9f8d5a7f |
| SHA256 | fdf52813079a77d46393af00017b800eefa139f026c089333595db4e338c8bd0 |
| SHA512 | c8b59b745555cea493e36e47ce46c1663148cd8797bc5b5ebdaec65b1b46a5a8f3acccfef0d6a2345312263b954d023cec8c45fed3aaeae7bc6db7a0b42012d1 |
memory/1180-381-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-383-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-382-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-384-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
memory/1180-385-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 08cc4a2d31392adde919c16e73237809 |
| SHA1 | f30a79f2af2e4c1b359ecc86d527236b5e8fd0fd |
| SHA256 | f6968edee55b6f061ead250e1203014f587b3bc0b907ab945925925a29199977 |
| SHA512 | 1efaf02ee7bdf0c90fa2149117a73c8343668d9a9f280e555ca9acef714e565adf0e7cca3b9a044e94b32533ba703e7acf6924b8a1f1b0d0226a467c764cd323 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | a18e4792782914f299db8a7826b1165c |
| SHA1 | edf0b3eeaa5b0ca24450a5b82293422af7e0b69b |
| SHA256 | efed8be5f4278ce4f9884e649302af566d68694c4b88ba035e79056cc2802a81 |
| SHA512 | 9852277ccb8e4509587b26e9d5f2d5f41bbd136af58487b6d47286b4b8b47ed513d427f21f1f2b34793138f0365e88e0fba8c6773fefff14e241855a7b6bdcf3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp
| MD5 | 992eb8566c3d3f0c1e93b892900610e2 |
| SHA1 | fa43e4b48aa20587595988a0a4e89d5c351af3f7 |
| SHA256 | 8812257aae7b48d74a28abd6bb52bce784193bf031126b5c4c6b865c8c2ae14b |
| SHA512 | b03fc8d7f39e8101bab64b52db0132b723525d86b122eff52b5cb9f5bb5ccc7108d2e33d46626a18b8532c1240a7fe42efb381388b8b833789352f7171426c55 |
memory/1180-457-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp
memory/1180-460-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp
memory/1180-458-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp
memory/1180-459-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp
memory/1180-461-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 10aa2f518c20671de6f8ec6f4a76865b |
| SHA1 | 2417476d948146ed0b63bda9e9927b577a6e29c2 |
| SHA256 | 5311a590dd7efe98ac83e2a9980f43a4620365e2355995296f60700e3d13ac7b |
| SHA512 | 15692d0cb62950d0302776fda5afc5ebc318e8ab116a9b72487eafa872a7c0427464b1668196fa732b5cd5894fbda7744474a67e90b275c21749033a3af23496 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c3a8d92d3891cb941d225cd483629ea3 |
| SHA1 | 87b77052a6913acd1861532b9babc99dd2eabcf5 |
| SHA256 | a505dacf7daacfd73741d44789fc925572d3c3b35e23597e19bc252ceb8746ab |
| SHA512 | 0da9a6203f7d529a7a0f74fe2bcc5c87b7c910a176bd7ee61036d9d19f6be56124aac994b078d883fb90223cfddf698b60311026f902cb6204c1ca693a1110c4 |
C:\Users\Admin\Downloads\metrofax.doc
| MD5 | 28e855032f83adbd2d8499af6d2d0e22 |
| SHA1 | 6b590325e2e465d9762fa5d1877846667268558a |
| SHA256 | b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e |
| SHA512 | e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D33780A1-953D-4F0C-9797-5A632E68E2B1
| MD5 | f8217fef67118394bd577886f171a493 |
| SHA1 | e2d2bd5b3815f5c8dc21c3b4075bb7539a649800 |
| SHA256 | 2694743f1983d5b9319632f3e5cc7006a064d35027c3c16e7eed4796075c8f9a |
| SHA512 | bad36a3c5e8621c9254af3898f6811f2e06b0df79cc90386d55e957fb9d107ef84ad86dd0a17cf5d1d05a9a6a17d3b8f34402faf44e5a720b93ba6c319dbe7fd |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
| MD5 | 6ca4960355e4951c72aa5f6364e459d5 |
| SHA1 | 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 |
| SHA256 | 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
| SHA512 | 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
| MD5 | c56ff60fbd601e84edd5a0ff1010d584 |
| SHA1 | 342abb130dabeacde1d8ced806d67a3aef00a749 |
| SHA256 | 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c |
| SHA512 | acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
| MD5 | e4e83f8123e9740b8aa3c3dfa77c1c04 |
| SHA1 | 5281eae96efde7b0e16a1d977f005f0d3bd7aad0 |
| SHA256 | 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31 |
| SHA512 | bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
| MD5 | 8bcf501dcbf502ad5455f96580e4cbb1 |
| SHA1 | 3f893f1fe4910da376c8baae86ba94a7af857136 |
| SHA256 | 96e8923d3a984184562e3507a3741921a442cb89faaf432cfc0312a8bbc3c219 |
| SHA512 | 175b9a91dd9f5de5166af11aa531a40d9a31fa6b8da4e19936df17f33bd718ba348f2c1528df8b250423e6f680c203d916f166dddff3e6f8d63c8086ace4682b |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
| MD5 | 1af0db9020b3795376d7796e12dcc3d9 |
| SHA1 | b0acf068c7fb64f75f77ff5751bd8353776d1851 |
| SHA256 | 7e6bb9bd65714cd399748cc57812cb3131bde5e67d43a21a5a0f58013bd273e2 |
| SHA512 | 2935ce7c65d6a9b5974d2281dc8809096eb7caaa630d14da15fb3f561139ecf39f73944e83b81b52a06e9d66649587fd0764dc938e05fbdb91d6e5eb99254a67 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
| MD5 | f1b59332b953b3c99b3c95a44249c0d2 |
| SHA1 | 1b16a2ca32bf8481e18ff8b7365229b598908991 |
| SHA256 | 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c |
| SHA512 | 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 51db367c5617aa157f47a04567cbafce |
| SHA1 | 770f30e392147da5d97ea537fea858a7aaba5b91 |
| SHA256 | d3ea7be352bf8b7058053fc9d41d9d3253bca4c981e337e5188a0b1bb5054b86 |
| SHA512 | a22137819156db9a293bf7b328e7b086a5faaf3da8479009889e426c1b6cfad48fcd7d25c15a51c286bb2a67ad8249efb1a1c7cfaf42eb80e31ba9134e0339f6 |
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db
| MD5 | ec24f4684480fefee49f06d7b1b4eb66 |
| SHA1 | f0c10ff21ec2147bd6968ef859cdcc1e7bcad066 |
| SHA256 | a4a2dcac92e7ff63b8f2ac252118fda1a376df8267ae323cd49aab6519957f04 |
| SHA512 | 7429a6b3c2a722ff55f2e3b0d67bb8c9be7948a43820de558052f72b67470fe35dfc6cb9476ff61839c9ddb34efe882663140ae3988f653ea047141385925962 |
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
| MD5 | 9c1625c3cdb1d1f15653279d9b97f0c7 |
| SHA1 | 8932ade4438e9acb0fbcfb32cf0c732799ab25cd |
| SHA256 | 38988c202cdbb608d34245455245261243ae86edcf7b670ecad025f09fadff75 |
| SHA512 | 7729bf3b24c43ef428b822468e3bf216b91baec42007c5c13f65ea01201bc3235ba9c510d93bc15baa78e8d5ed2831c6dab5dbf97974e3f6a69bf598465552dd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9B6AABE6.emf
| MD5 | 0ed5bc16545d23c325d756013579a697 |
| SHA1 | dcdde3196414a743177131d7d906cb67315d88e7 |
| SHA256 | 3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3 |
| SHA512 | c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af |
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf
| MD5 | 169466b09b3bfde1f41a57f9bb6eed65 |
| SHA1 | 0b40e2460a805b2b51b376dcee96fb5327411365 |
| SHA256 | 9edee394ba375112cdf2cee063ef9808b9bc3a27145fa7aaad3b93065f92f5f2 |
| SHA512 | 71166555015053769416fc33b72d3ef2195e07c1dc2f5ee8508f179468b4ecbdcdb232eef69685e3ddf9dce34615aeddd8172185db660e25406aa3df7515ccc3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
| MD5 | 98bd5a14b625021245cf02b4fc873c94 |
| SHA1 | aef23dddbf45fd07f3d1e8889f7cf3f9cb072541 |
| SHA256 | 90f0cfeceb4a4300b6c760a05c0c49a911e55d5ed0e97d83a8a557c6583cfe05 |
| SHA512 | 88744794cdaa4f0347074b7df9b0d19799eb116cc095aa72a14510fd3e194137f9165a957fac9afc74060632499c36816bfb9dfec78758344bb74c341649c883 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
| MD5 | fed19411322303de56c333eb8f3b2c78 |
| SHA1 | 212506ed0f8a69fb7c4e6df0086220e00f4ea157 |
| SHA256 | f541190a327ea848cb6908a9cb0f5454d9c56ac0ac4db304532ca53612b294f9 |
| SHA512 | 7c3398e8d72acf5586d57ba5c4ef6ff14cba11fedc036ed468c960e6e517f89c0d0145fe452f4068cad0ece3bc8cd9b3d94ab2d6b79f72ce8f62bf463020a049 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 3b3c6fc2c328b46fd5864160f7bc166c |
| SHA1 | 1eb8d61ed01ecfc44701a543bec89ad9d37b5a30 |
| SHA256 | 18ddd9198a891e167a090cd595dd3abb9d9e60895a99397de45f0b57aa223e39 |
| SHA512 | aeb01f8b23b29d5b27018723a5448a0c91dc82a4f385a00bf24759c0c8e12a470c06843d91b6912acd4bcda4cbf4b9051115e68c19d65ab48288f5e3e7e69258 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | fcb148c1a10da6a40ffffb077115b6c2 |
| SHA1 | 87adab7c66df7e5c1b7e41b1e1985d5e105ae48b |
| SHA256 | 6e9c8dea02fdc78d3ff14ec9c156a88c46b94d91c70e4581f2ebec00731bf00c |
| SHA512 | 921eb1dae4b090eea0a865312703894248ed0ad1a3cb06e26eb557b6b58daaa28f3a653947aaf17e19f8a9ec307158ba0e34d708086dcb22321f0ecd504fd03e |
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
| MD5 | 7c5720641fe607a144d460deac6bdfbf |
| SHA1 | 1585be316d416c284c17b8ab859f93fd260942c3 |
| SHA256 | 10a035c4540371d6f983f7d086a10d54460cf6c8ffa4fb04c2be8df2327c04bb |
| SHA512 | e254d2bfccdd4eec49214affbd4377faeef0833f4607335640b1dffd2c93df7cda8e02ec2693cd5f2e7f8db204157c6578a5b123f0f0fd8210cd9df107e11e59 |
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
| MD5 | 318cd1281db65accf8abce0e1d4d5dd6 |
| SHA1 | 6e97d827c4f9bb03b032e1f3c9cbcea0a4f4bf34 |
| SHA256 | 724a6681ad5ee6e263c3da9a04c0900dfaac6cd24ce37a057e0b4fd57afa25fd |
| SHA512 | 3483ea30a3c7c63f3af11d631df6ea67d0eaa377cd62aa18840460a7a33655132e21a697e6c91a2f782c834528963d0f5455861fa6fee7dd8554f3d159825128 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 116b59a87717e28e3ca665bc04b36957 |
| SHA1 | 3d408949a7d0d7f2936cf2a2aa5be2b11e0c8161 |
| SHA256 | 76b58528565cbee576ae442659a40f2e70bda325afa92113ea28fd3bad51b2f4 |
| SHA512 | 7f446fa82775a6b95ebc2848e5ac03a4daad593758c48b169f4686bb016a0a1202cb520f4b964283dacade772ffcf6cfd00c35e2911f8681f055bfcf7906079e |
C:\Users\Admin\Downloads\Unconfirmed 818019.crdownload
| MD5 | 055d1462f66a350d9886542d4d79bc2b |
| SHA1 | f1086d2f667d807dbb1aa362a7a809ea119f2565 |
| SHA256 | dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0 |
| SHA512 | 2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | e47aff2d71a81c927d103d5c5bfe3120 |
| SHA1 | 5d8115b44d58ef2dbb725ec5edf8c455383dba36 |
| SHA256 | c1bf99ba004ad6244bc49b43deec2c0a9a355ed9f77014deeea0993ae3d43cb5 |
| SHA512 | b04e85697cd89d5650e2edbb68ac89d7d9fb9458ce38ba81d46c3b3ddb9fb55013035d0c44ffe8dc6c5cb797969f9e3e6eaeb6a750b01afef98a8260c80b0899 |
memory/4180-791-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCDD6EB.tmp\gb.xsl
| MD5 | 51d32ee5bc7ab811041f799652d26e04 |
| SHA1 | 412193006aa3ef19e0a57e16acf86b830993024a |
| SHA256 | 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97 |
| SHA512 | 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ae0caec9a9baece10bc9904065a8b188 |
| SHA1 | fee121ba7f0d5864682b2259e2af3cdb7df8bf23 |
| SHA256 | b427fb0b8c159a3bf953db171272b615bb242e6dde60a28d696780431dedb5f0 |
| SHA512 | 967d7721bb3153646f1501197b0578d66167f5f0cc9155e44c9b9649b8ebead004fff1f0d3bf54c170803772a3b85cee85a7ce0a5ef5ae0e2dde5ef729ff81e7 |
memory/4180-1238-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 43deb6596da2d67131ca726bf2232f30 |
| SHA1 | 42566f810a3d90e81163318b9234f650ee03a01c |
| SHA256 | 0ebc86cd496accb0ada2285bda435d54eebfd51c9cca0f4f5449f6458879d3d8 |
| SHA512 | 11500c00e01ac6a7130a453356202e13be7fc7bab8368d5b2b05746db65969bf4a86df0e319ad5d6580e7442a293873fbc8828efb76f61b08e9a342847a766b2 |
memory/4180-5288-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-0B90E7CC.[[email protected]].ncov
| MD5 | 71053313112362c0787bbe78c47a2d1c |
| SHA1 | ada9b8ad6e5b4ba582d43e964f1824b1c8ffd607 |
| SHA256 | 9d7a91427d322446467a628769688a42b8b407aea7b12c5e3cc36bbc24e964e8 |
| SHA512 | 1de1a25f00dae5b3412d1d00b2c4ba42c7c85c7359b109c844d640f5db1c904f05861c275f4ec977b43c7e17f129eb0253edb79cc8081939ef029b3cd9232a6c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 03554ddfec3486765341d3cbae7fd00e |
| SHA1 | 637a58bdec60979e5c22a75efdd08b50305afa92 |
| SHA256 | 9f90fd6d4ad191dd77e26558332e4524597a1f712d53ebc8cbafaf389a5b4540 |
| SHA512 | 6b1326aa8d50caf347bb74df7bb57fdf44d716d5a431b1145abb634f196742beee0353fc3b6fabbee801924ab6427add39f20ddc8c7b50b0ceb3985ceda88a0f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | a20ab0271b2f30b5f74f76d64cf86b9c |
| SHA1 | 3211781d1af39ba42c94dfa665b8f87008e07745 |
| SHA256 | 42ee75282e4e364d4d18de97000ab2bd5840df6fa71a195c48e18c3f1130183a |
| SHA512 | 0dbaf24ba76cdda15fd558e46288e4ee14b915d7cb2adf94c5182ba6a199784bf40bc8a8f961c5375342110b682ed3a9ce6c7c43fd8a422d0efc4950a9829fdd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db
| MD5 | 5a1706ef2fb06594e5ec3a3f15fb89e2 |
| SHA1 | 983042bba239018b3dced4b56491a90d38ba084a |
| SHA256 | 87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd |
| SHA512 | c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 45081472e85897fe2767be822cf3f621 |
| SHA1 | 52636ebc6e5d01395019418a1d89166302ddcb1f |
| SHA256 | 411854d770d39be4ac2b46786c376eda7cfc78a031e88353d798fc75559d68b3 |
| SHA512 | 2c04c65412eec476e5edeaff13e21fe060b39dab443b1180c763ba05e808c3ff9bd2d1da230dcede4b3c4c60a8d35d23443460f4cba9e16620e7f292d6d7f25c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 5e460ad3f4b7219227d7c2199eba5dd0 |
| SHA1 | b33fc753f2f0c1175d99ed16e06ace856fd8830d |
| SHA256 | 1d9a5d2933ec77a5565998114161acf181f23ee50c262b485aca398b93666bf5 |
| SHA512 | 424db62fc88acc00c96d43e32154db2f78aab39d0a34fc82e16a541f6a3a61b187f8adc1a14f507c25c4fdb5571070b4d89c539d32594872eee8f2e7375edaac |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity~RFe596930.TMP
| MD5 | 0e9b8b2ca18d6568ffb0bee2639fc0cc |
| SHA1 | 4a2fff3d522f3a6ed88281c53fc3048596aab225 |
| SHA256 | b2c0c0f0042fe0d2a05fc9c818cd6c13a8d2693502a23b649935426d2f5742ea |
| SHA512 | 435ed3f65a84831a685b42136ae96b3ab066785723d4619fe60c487473b698fbc31f32262e150d48616734f79a4db88588a8694b43992344db5b63ececbe518c |
memory/8676-26809-0x0000020478970000-0x0000020478980000-memory.dmp
memory/8676-26793-0x0000020478870000-0x0000020478880000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3ef9318a7ce91719f8e58851e7b3d775 |
| SHA1 | 576ca0becca5924e3ef7397bee36269ef0330c9d |
| SHA256 | 61c39b80730553d7a5a2992d0097fc70ea9608c0d5572df225fe53d37801c3e2 |
| SHA512 | 92f1e8e3761350b8e5b2b52311fc14368f33b0da77eb7316f8e64d3468209ea00f30194be0a4bec7de95ee27d7d979255592074048226658cb47a0b2153ac29c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe59b7ec.TMP
| MD5 | 1534b4a5b0fcad4045748d9188ae093b |
| SHA1 | c7abe169a4eeb2248d77df87ed9e0f55c30d5e2f |
| SHA256 | 5590a4e18ae402da1c5b59569556a57308adb2c8e0029c20b05c04a9bb3ce460 |
| SHA512 | 9c9048540ccbe79e5f32ef46c8c5e910959f48b8be57a7e8332d29ebb69e38477d9d91b3c798bda5f1acb021f834e1197e3b4f4340c2551c9c4588199e47305f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e8f6c530c1eac89ecfe2c1fb79428460 |
| SHA1 | 24b7efbaad201cfe549b7415dc3b78e41f176a87 |
| SHA256 | 23165dbe8ea9c3e6d8804f727c04280947e04b3c272d162c923df3b1b5dcb5d7 |
| SHA512 | 340447471d7eb1ab906c00273598960ef0e9ac6dce60fbfb08a41040664973f401bdf6f0027c85b6d444a1342804b4af4702f609abcf1f3e81163301ee42da76 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8d823ee8e4b7c29d5bba2672ddd2f6fe |
| SHA1 | 539e06e4d4c093748a3cfeaabe58d5b1f2247259 |
| SHA256 | 4998f068fcae8ccbccf715c75987f9205cec097e4d2079a7673b8af033834cfc |
| SHA512 | 8652d2070e0a113eb72f4282978a17f30af059235cc726e4a9a2e60a4859a04bb3b0b1537e7d36693a3f95da8ddfbbd25ba2ccecc76f7dabfafee9d935b56ce9 |