Malware Analysis Report

2025-03-14 23:59

Sample ID 250228-dmxswsyvdy
Target https://github.com/Da2dalus/The-MALWARE-Repo
Tags
dharma credential_access defense_evasion discovery execution impact macro macro_on_action persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/Da2dalus/The-MALWARE-Repo was found to be: Known bad.

Malicious Activity Summary

dharma credential_access defense_evasion discovery execution impact macro macro_on_action persistence ransomware spyware stealer

Dharma

Dharma family

Renames multiple (666) files with added filename extension

Deletes shadow copies

Downloads MZ/PE file

Office macro that triggers on suspicious action

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Credentials from Password Stores: Windows Credential Manager

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in System32 directory

Subvert Trust Controls: Mark-of-the-Web Bypass

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

NTFS ADS

Enumerates system info in registry

Uses Volume Shadow Copy WMI provider

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Checks processor information in registry

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Interacts with shadow copies

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-28 03:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-28 03:08

Reported

2025-02-28 03:11

Platform

win10ltsc2021-20250217-en

Max time kernel

176s

Max time network

175s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (666) files with added filename extension

ransomware

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3452737631-513087862-588053281-1000\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3452737631-513087862-588053281-1000\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CoronaVirus.exe C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hr.pak.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jawt.dll.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\yo.txt C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-down.svg.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Fingerprinting C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\precomplete.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\msjet.xsl.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationProvider.resources.dll.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excel.exe.manifest.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsFormsIntegration.resources.dll.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUB.TTF.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\PREVIEW.GIF C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\ui-strings.js.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ar.pak.DATA.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_replace_signer_18.svg.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\ui-strings.js.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\ui-strings.js C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.DLL.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Linq.Resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-math-l1-1-0.dll.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-process-l1-1-0.dll.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Design.Resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Confirmation2x.png.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lb.pak.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\MSFT_PackageManagement.schema.mfl.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\wmlaunch.exe.mui C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.id-0B90E7CC.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{AA52FC6D-7A2F-4476-ADE9-5A5477DF6A64}\8tr.exe:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Mabezat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133851857070954127" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{AA52FC6D-7A2F-4476-ADE9-5A5477DF6A64}\8tr.exe:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 3160 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 3160 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 4596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1480 wrote to memory of 2888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffa9b2dcc40,0x7ffa9b2dcc4c,0x7ffa9b2dcc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1988,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1984 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1844,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2072 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2300 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3180 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3204 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4012,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4632 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4884,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4912 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5168,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5208 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5196,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5256 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5216,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5488 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5232,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5652 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5240,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5528 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5500,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4636 /prefetch:8

C:\Users\Admin\Downloads\Mabezat.exe

"C:\Users\Admin\Downloads\Mabezat.exe"

C:\Users\Admin\Downloads\Mabezat.exe

"C:\Users\Admin\Downloads\Mabezat.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5472,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5696 /prefetch:8

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa.doc" /o ""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5780,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5664 /prefetch:8

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3804,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=840 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5732,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5708 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3436,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5308 /prefetch:8

C:\Users\Admin\Downloads\CoronaVirus.exe

"C:\Users\Admin\Downloads\CoronaVirus.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5212,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5676 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5248,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5508 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4320,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5884 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=840,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5272 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5312,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5784 /prefetch:1

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1084,i,15954826314994851730,14982078513279443786,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3796 /prefetch:8

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\7bb109a1bd374badaa3574f2d6d7381f /t 7592 /p 7604

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\b33bfe593f924e29953937e0f96e033d /t 35584 /p 35580

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.109.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 216.58.201.106:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 collector.github.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 140.82.113.21:443 collector.github.com tcp
US 8.8.8.8:53 api.github.com udp
GB 216.58.201.106:443 content-autofill.googleapis.com udp
GB 20.26.156.210:443 api.github.com tcp
US 140.82.113.21:443 collector.github.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.66.59:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.42:443 ogads-pa.googleapis.com udp
GB 216.58.204.78:443 apis.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com udp
GB 142.250.200.14:443 play.google.com udp
US 8.8.8.8:53 dns-tunnel-check.googlezip.net udp
US 8.8.8.8:53 tunnel.googlezip.net udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
GB 142.250.200.42:443 ogads-pa.googleapis.com tcp
GB 142.250.200.42:443 ogads-pa.googleapis.com udp
GB 142.250.200.14:443 play.google.com tcp
GB 142.250.200.14:443 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.200.46:443 consent.google.com tcp
US 8.8.8.8:53 encrypted-vtbn0.gstatic.com udp
GB 216.58.213.14:443 encrypted-vtbn0.gstatic.com tcp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.36.55:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
CN 142.250.197.3:443 beacons.gcp.gvt2.com tcp
CN 142.250.197.3:443 beacons.gcp.gvt2.com tcp
CN 142.250.197.3:443 beacons.gcp.gvt2.com tcp
CN 142.250.197.3:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 13.87.96.169:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 apprep.smartscreen.microsoft.com udp
GB 172.165.69.228:443 apprep.smartscreen.microsoft.com tcp

Files

\??\pipe\crashpad_1480_NZXWZNTCCYTQKMTY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 d3924dc3a7ea206d73932d63f8e78bfb
SHA1 e59630ded59c7e977df5933018aab33a4a95fc64
SHA256 2471770471c535777fa588b7f54876cccd9cf839b7b9574b17cf7b197e498b16
SHA512 819c7e67bec0a9098554ca8cd5519859350b73163cacbfb70d92ad5289f7336de709090e2420a4dfa7bcfcd3f7eb4954aac9aefdc92ede696b044156286d0597

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 8cc8617b77275282c712cf74209fd64c
SHA1 c02d45fdcec1c1af65a246d1c605d69493098604
SHA256 8f7f55428427163508751bc13879f262bb740e28b7169c111dd643f71395be26
SHA512 e1225ca7fab224cd0ab93f081a506b08ea620822f3b184f1956cddedda080c902c3cc6b7bf61d1e0227e6270ac221d96bea4c8740693f284f8e2ad35dc7c8c93

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6c1f9452c8a1ae5cbb1c61ad7ac5851b
SHA1 c86078952babaf3adefd69a532072edde4895d8a
SHA256 be49c5f75431436627a82086a8ee1c9c70919de8a5849522c6af9de62ac6edfd
SHA512 5b319b4819edaab4c37a17883735dc95b504abf0b94a5e9f3371b1d8b0e904e8200cb442bc6588934cfd325d3538fa92acda3d36b52848ed826466764489dc47

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 d2b07f38bb0326227441fecfbba36cc7
SHA1 986ca083e1badc41fe10c5ce795f5ee3ac0c3c0c
SHA256 406e8e2bc6111d820d16c54dee7c15122d846fc712643feb2a4375e5f886c320
SHA512 9ca28e15a6a43734949c365161c767276d68ec1d69ee6701e688e9ef6041dbac716644c330705143b8bcee44e4d34085c32dcae64277a2743e49938fda6a4f5e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 95b622049bec41b9c48480b60439a32b
SHA1 5a6552376931164b470d6a4c2e29a315327b8a4e
SHA256 524b52be4d7734838b4ef2632b8d6742788475e17f5b74b8025482bdd384ae56
SHA512 6196fff128d0aaac087b361b403cde96f86fb64b7aec385a12893108a9e50f446db10c2ed4dd1205a920287c5b56cb39856f6f15c9991895237f25f443caf187

C:\Users\Admin\Downloads\Unconfirmed 843811.crdownload

MD5 de8d08a3018dfe8fd04ed525d30bb612
SHA1 a65d97c20e777d04fb4f3c465b82e8c456edba24
SHA256 2ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb
SHA512 cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 b1dce97b4447293f81750a75ca34d962
SHA1 7bdc19ed16c63c4d02e40b0d269bdf4688753af3
SHA256 f5a19918dfedd2c5c201cc6025d11d44cc8a47705a6fbcf8f28e6e0558d5252d
SHA512 b862831ee92aa3e55cbd7b4e398b7b4a376e891d69cc5099ede997e387419b7420458086b2fb4e215390a87980a5c1381dc2078eba1a5b4cded979ad42b050bf

memory/2608-239-0x0000000001000000-0x0000000001026000-memory.dmp

memory/2608-241-0x0000000001000000-0x0000000001026000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0cb60179ba5e8960f93d68b592e8cc63
SHA1 8b4a7af127e15966dc92db48056c08acbbe173aa
SHA256 d2d9555759581565c0e7e0dca1d2beb5b66510cbe579d3e48c1f2b3e0dfced6a
SHA512 38d5b3bd9d458683c1001aef8f602284c4877a1d5f7a83d2a6b74d185dbe2260c1058058bcf3d29d78ae673c3826821117f614b2694888be037d20a85804929c

memory/3748-252-0x0000000001000000-0x0000000001026000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 32cba240465f2413d5128b8dca0fff28
SHA1 8b310008ef524c39d524e4514c72f7803cf63db9
SHA256 fa927660e5671c4f8af068aa04e305641b5e68630a38c30ccfad518aa5c20ddf
SHA512 f9a9bde7ad1b54ab4372b569bed90d48272c1e43f10010fab007bd352acbb5cb0ebcda8885f8ab8d1833791121597984c88ac231620fe573e093f4edca1d9976

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f102c63b71351fb71508f9e018c39f84
SHA1 55c9a92f5b64aeaeb221057c897341bdce3bdc11
SHA256 48580f44554246d5765cecd564e4260a88f3d3936c8bd5c3ab13b51bfce8df15
SHA512 b4f1f453d5aacf09f39c80a5e6a9806e845ebc179bc5637e1daeed55f36ac3e0d66df5d6524dc1488989087a1c4b91fe43d4fb39472351b3a2b44b8f707d7cb3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 d0fcfdd42d7976ec4845fb6aa8459264
SHA1 c634012bb156e3c3ff91549d6e140b990e9199c4
SHA256 a41beaef8be4faa775d60fb2ab109c43f9999ccf36abbfbffd7b77a86ea76fdc
SHA512 9c1b3fa98723f602f3c717dbb7a2c82252b92ffdfaf878040d2555fcbb8f78c2f518c4234aa89138d37559654fb14554e0d285c5a97e08eb39cf7d50f9bd1769

C:\Users\Admin\Downloads\Melissa.doc.crdownload

MD5 4b68fdec8e89b3983ceb5190a2924003
SHA1 45588547dc335d87ea5768512b9f3fc72ffd84a3
SHA256 554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca
SHA512 b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f

memory/1180-294-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp

memory/1180-297-0x00007FFAAAD6D000-0x00007FFAAAD6E000-memory.dmp

memory/1180-299-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp

memory/1180-298-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp

memory/1180-296-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp

memory/1180-295-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp

memory/1180-303-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-307-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-306-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-305-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-304-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-302-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-301-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-300-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-308-0x00007FFA6A340000-0x00007FFA6A350000-memory.dmp

memory/1180-309-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-313-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-314-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-316-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-315-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-312-0x00007FFA6A340000-0x00007FFA6A350000-memory.dmp

memory/1180-311-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-310-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 c0cd6e320640612520566f8d00a844e2
SHA1 5b3614330b3c599f73d6d3a180f5117ba8a014ef
SHA256 410a3c0481aee7626645f122e671943622273df21e2b32ec26e7e14258dc829d
SHA512 9190ea5e5c81410e5c1b70afff02a1500577a758c3dcc28b350939a801d5244cff55e80c7981648ad35f3329bbf55882d0b14e54bfbcf7e4c8dd8ec53a7c40cd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b17afad9c04c51e82221d585d44099b2
SHA1 aae7932893fd6268afa15e113896713115d9a11e
SHA256 190c57f26b65154083000b40ecc239ed007075b9f7f258b3b4bf7f183a934ddd
SHA512 205be6e9ca8642d84b8d930fd2e85b8bc423b8c84939e0beb1f50d9134d7b97cf5fb8053e6ec8be90c71e242cc7040248b6a5794fc16fc5af8bf062a53a0a738

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 1e2a40cc8251bd19e19a2223cf3393ca
SHA1 66059d691d39e65aedd8fd95355c881d9f8d5a7f
SHA256 fdf52813079a77d46393af00017b800eefa139f026c089333595db4e338c8bd0
SHA512 c8b59b745555cea493e36e47ce46c1663148cd8797bc5b5ebdaec65b1b46a5a8f3acccfef0d6a2345312263b954d023cec8c45fed3aaeae7bc6db7a0b42012d1

memory/1180-381-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-383-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-382-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-384-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

memory/1180-385-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 08cc4a2d31392adde919c16e73237809
SHA1 f30a79f2af2e4c1b359ecc86d527236b5e8fd0fd
SHA256 f6968edee55b6f061ead250e1203014f587b3bc0b907ab945925925a29199977
SHA512 1efaf02ee7bdf0c90fa2149117a73c8343668d9a9f280e555ca9acef714e565adf0e7cca3b9a044e94b32533ba703e7acf6924b8a1f1b0d0226a467c764cd323

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 a18e4792782914f299db8a7826b1165c
SHA1 edf0b3eeaa5b0ca24450a5b82293422af7e0b69b
SHA256 efed8be5f4278ce4f9884e649302af566d68694c4b88ba035e79056cc2802a81
SHA512 9852277ccb8e4509587b26e9d5f2d5f41bbd136af58487b6d47286b4b8b47ed513d427f21f1f2b34793138f0365e88e0fba8c6773fefff14e241855a7b6bdcf3

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

MD5 992eb8566c3d3f0c1e93b892900610e2
SHA1 fa43e4b48aa20587595988a0a4e89d5c351af3f7
SHA256 8812257aae7b48d74a28abd6bb52bce784193bf031126b5c4c6b865c8c2ae14b
SHA512 b03fc8d7f39e8101bab64b52db0132b723525d86b122eff52b5cb9f5bb5ccc7108d2e33d46626a18b8532c1240a7fe42efb381388b8b833789352f7171426c55

memory/1180-457-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp

memory/1180-460-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp

memory/1180-458-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp

memory/1180-459-0x00007FFA6AD50000-0x00007FFA6AD60000-memory.dmp

memory/1180-461-0x00007FFAAACD0000-0x00007FFAAAEC8000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 10aa2f518c20671de6f8ec6f4a76865b
SHA1 2417476d948146ed0b63bda9e9927b577a6e29c2
SHA256 5311a590dd7efe98ac83e2a9980f43a4620365e2355995296f60700e3d13ac7b
SHA512 15692d0cb62950d0302776fda5afc5ebc318e8ab116a9b72487eafa872a7c0427464b1668196fa732b5cd5894fbda7744474a67e90b275c21749033a3af23496

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c3a8d92d3891cb941d225cd483629ea3
SHA1 87b77052a6913acd1861532b9babc99dd2eabcf5
SHA256 a505dacf7daacfd73741d44789fc925572d3c3b35e23597e19bc252ceb8746ab
SHA512 0da9a6203f7d529a7a0f74fe2bcc5c87b7c910a176bd7ee61036d9d19f6be56124aac994b078d883fb90223cfddf698b60311026f902cb6204c1ca693a1110c4

C:\Users\Admin\Downloads\metrofax.doc

MD5 28e855032f83adbd2d8499af6d2d0e22
SHA1 6b590325e2e465d9762fa5d1877846667268558a
SHA256 b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e
SHA512 e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D33780A1-953D-4F0C-9797-5A632E68E2B1

MD5 f8217fef67118394bd577886f171a493
SHA1 e2d2bd5b3815f5c8dc21c3b4075bb7539a649800
SHA256 2694743f1983d5b9319632f3e5cc7006a064d35027c3c16e7eed4796075c8f9a
SHA512 bad36a3c5e8621c9254af3898f6811f2e06b0df79cc90386d55e957fb9d107ef84ad86dd0a17cf5d1d05a9a6a17d3b8f34402faf44e5a720b93ba6c319dbe7fd

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 8bcf501dcbf502ad5455f96580e4cbb1
SHA1 3f893f1fe4910da376c8baae86ba94a7af857136
SHA256 96e8923d3a984184562e3507a3741921a442cb89faaf432cfc0312a8bbc3c219
SHA512 175b9a91dd9f5de5166af11aa531a40d9a31fa6b8da4e19936df17f33bd718ba348f2c1528df8b250423e6f680c203d916f166dddff3e6f8d63c8086ace4682b

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 1af0db9020b3795376d7796e12dcc3d9
SHA1 b0acf068c7fb64f75f77ff5751bd8353776d1851
SHA256 7e6bb9bd65714cd399748cc57812cb3131bde5e67d43a21a5a0f58013bd273e2
SHA512 2935ce7c65d6a9b5974d2281dc8809096eb7caaa630d14da15fb3f561139ecf39f73944e83b81b52a06e9d66649587fd0764dc938e05fbdb91d6e5eb99254a67

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 51db367c5617aa157f47a04567cbafce
SHA1 770f30e392147da5d97ea537fea858a7aaba5b91
SHA256 d3ea7be352bf8b7058053fc9d41d9d3253bca4c981e337e5188a0b1bb5054b86
SHA512 a22137819156db9a293bf7b328e7b086a5faaf3da8479009889e426c1b6cfad48fcd7d25c15a51c286bb2a67ad8249efb1a1c7cfaf42eb80e31ba9134e0339f6

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

MD5 ec24f4684480fefee49f06d7b1b4eb66
SHA1 f0c10ff21ec2147bd6968ef859cdcc1e7bcad066
SHA256 a4a2dcac92e7ff63b8f2ac252118fda1a376df8267ae323cd49aab6519957f04
SHA512 7429a6b3c2a722ff55f2e3b0d67bb8c9be7948a43820de558052f72b67470fe35dfc6cb9476ff61839c9ddb34efe882663140ae3988f653ea047141385925962

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 9c1625c3cdb1d1f15653279d9b97f0c7
SHA1 8932ade4438e9acb0fbcfb32cf0c732799ab25cd
SHA256 38988c202cdbb608d34245455245261243ae86edcf7b670ecad025f09fadff75
SHA512 7729bf3b24c43ef428b822468e3bf216b91baec42007c5c13f65ea01201bc3235ba9c510d93bc15baa78e8d5ed2831c6dab5dbf97974e3f6a69bf598465552dd

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9B6AABE6.emf

MD5 0ed5bc16545d23c325d756013579a697
SHA1 dcdde3196414a743177131d7d906cb67315d88e7
SHA256 3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3
SHA512 c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

MD5 169466b09b3bfde1f41a57f9bb6eed65
SHA1 0b40e2460a805b2b51b376dcee96fb5327411365
SHA256 9edee394ba375112cdf2cee063ef9808b9bc3a27145fa7aaad3b93065f92f5f2
SHA512 71166555015053769416fc33b72d3ef2195e07c1dc2f5ee8508f179468b4ecbdcdb232eef69685e3ddf9dce34615aeddd8172185db660e25406aa3df7515ccc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

MD5 98bd5a14b625021245cf02b4fc873c94
SHA1 aef23dddbf45fd07f3d1e8889f7cf3f9cb072541
SHA256 90f0cfeceb4a4300b6c760a05c0c49a911e55d5ed0e97d83a8a557c6583cfe05
SHA512 88744794cdaa4f0347074b7df9b0d19799eb116cc095aa72a14510fd3e194137f9165a957fac9afc74060632499c36816bfb9dfec78758344bb74c341649c883

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

MD5 fed19411322303de56c333eb8f3b2c78
SHA1 212506ed0f8a69fb7c4e6df0086220e00f4ea157
SHA256 f541190a327ea848cb6908a9cb0f5454d9c56ac0ac4db304532ca53612b294f9
SHA512 7c3398e8d72acf5586d57ba5c4ef6ff14cba11fedc036ed468c960e6e517f89c0d0145fe452f4068cad0ece3bc8cd9b3d94ab2d6b79f72ce8f62bf463020a049

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 3b3c6fc2c328b46fd5864160f7bc166c
SHA1 1eb8d61ed01ecfc44701a543bec89ad9d37b5a30
SHA256 18ddd9198a891e167a090cd595dd3abb9d9e60895a99397de45f0b57aa223e39
SHA512 aeb01f8b23b29d5b27018723a5448a0c91dc82a4f385a00bf24759c0c8e12a470c06843d91b6912acd4bcda4cbf4b9051115e68c19d65ab48288f5e3e7e69258

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 fcb148c1a10da6a40ffffb077115b6c2
SHA1 87adab7c66df7e5c1b7e41b1e1985d5e105ae48b
SHA256 6e9c8dea02fdc78d3ff14ec9c156a88c46b94d91c70e4581f2ebec00731bf00c
SHA512 921eb1dae4b090eea0a865312703894248ed0ad1a3cb06e26eb557b6b58daaa28f3a653947aaf17e19f8a9ec307158ba0e34d708086dcb22321f0ecd504fd03e

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 7c5720641fe607a144d460deac6bdfbf
SHA1 1585be316d416c284c17b8ab859f93fd260942c3
SHA256 10a035c4540371d6f983f7d086a10d54460cf6c8ffa4fb04c2be8df2327c04bb
SHA512 e254d2bfccdd4eec49214affbd4377faeef0833f4607335640b1dffd2c93df7cda8e02ec2693cd5f2e7f8db204157c6578a5b123f0f0fd8210cd9df107e11e59

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 318cd1281db65accf8abce0e1d4d5dd6
SHA1 6e97d827c4f9bb03b032e1f3c9cbcea0a4f4bf34
SHA256 724a6681ad5ee6e263c3da9a04c0900dfaac6cd24ce37a057e0b4fd57afa25fd
SHA512 3483ea30a3c7c63f3af11d631df6ea67d0eaa377cd62aa18840460a7a33655132e21a697e6c91a2f782c834528963d0f5455861fa6fee7dd8554f3d159825128

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 116b59a87717e28e3ca665bc04b36957
SHA1 3d408949a7d0d7f2936cf2a2aa5be2b11e0c8161
SHA256 76b58528565cbee576ae442659a40f2e70bda325afa92113ea28fd3bad51b2f4
SHA512 7f446fa82775a6b95ebc2848e5ac03a4daad593758c48b169f4686bb016a0a1202cb520f4b964283dacade772ffcf6cfd00c35e2911f8681f055bfcf7906079e

C:\Users\Admin\Downloads\Unconfirmed 818019.crdownload

MD5 055d1462f66a350d9886542d4d79bc2b
SHA1 f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256 dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512 2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 e47aff2d71a81c927d103d5c5bfe3120
SHA1 5d8115b44d58ef2dbb725ec5edf8c455383dba36
SHA256 c1bf99ba004ad6244bc49b43deec2c0a9a355ed9f77014deeea0993ae3d43cb5
SHA512 b04e85697cd89d5650e2edbb68ac89d7d9fb9458ce38ba81d46c3b3ddb9fb55013035d0c44ffe8dc6c5cb797969f9e3e6eaeb6a750b01afef98a8260c80b0899

memory/4180-791-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDD6EB.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ae0caec9a9baece10bc9904065a8b188
SHA1 fee121ba7f0d5864682b2259e2af3cdb7df8bf23
SHA256 b427fb0b8c159a3bf953db171272b615bb242e6dde60a28d696780431dedb5f0
SHA512 967d7721bb3153646f1501197b0578d66167f5f0cc9155e44c9b9649b8ebead004fff1f0d3bf54c170803772a3b85cee85a7ce0a5ef5ae0e2dde5ef729ff81e7

memory/4180-1238-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 43deb6596da2d67131ca726bf2232f30
SHA1 42566f810a3d90e81163318b9234f650ee03a01c
SHA256 0ebc86cd496accb0ada2285bda435d54eebfd51c9cca0f4f5449f6458879d3d8
SHA512 11500c00e01ac6a7130a453356202e13be7fc7bab8368d5b2b05746db65969bf4a86df0e319ad5d6580e7442a293873fbc8828efb76f61b08e9a342847a766b2

memory/4180-5288-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-0B90E7CC.[[email protected]].ncov

MD5 71053313112362c0787bbe78c47a2d1c
SHA1 ada9b8ad6e5b4ba582d43e964f1824b1c8ffd607
SHA256 9d7a91427d322446467a628769688a42b8b407aea7b12c5e3cc36bbc24e964e8
SHA512 1de1a25f00dae5b3412d1d00b2c4ba42c7c85c7359b109c844d640f5db1c904f05861c275f4ec977b43c7e17f129eb0253edb79cc8081939ef029b3cd9232a6c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 03554ddfec3486765341d3cbae7fd00e
SHA1 637a58bdec60979e5c22a75efdd08b50305afa92
SHA256 9f90fd6d4ad191dd77e26558332e4524597a1f712d53ebc8cbafaf389a5b4540
SHA512 6b1326aa8d50caf347bb74df7bb57fdf44d716d5a431b1145abb634f196742beee0353fc3b6fabbee801924ab6427add39f20ddc8c7b50b0ceb3985ceda88a0f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 a20ab0271b2f30b5f74f76d64cf86b9c
SHA1 3211781d1af39ba42c94dfa665b8f87008e07745
SHA256 42ee75282e4e364d4d18de97000ab2bd5840df6fa71a195c48e18c3f1130183a
SHA512 0dbaf24ba76cdda15fd558e46288e4ee14b915d7cb2adf94c5182ba6a199784bf40bc8a8f961c5375342110b682ed3a9ce6c7c43fd8a422d0efc4950a9829fdd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

MD5 5a1706ef2fb06594e5ec3a3f15fb89e2
SHA1 983042bba239018b3dced4b56491a90d38ba084a
SHA256 87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd
SHA512 c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 45081472e85897fe2767be822cf3f621
SHA1 52636ebc6e5d01395019418a1d89166302ddcb1f
SHA256 411854d770d39be4ac2b46786c376eda7cfc78a031e88353d798fc75559d68b3
SHA512 2c04c65412eec476e5edeaff13e21fe060b39dab443b1180c763ba05e808c3ff9bd2d1da230dcede4b3c4c60a8d35d23443460f4cba9e16620e7f292d6d7f25c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 5e460ad3f4b7219227d7c2199eba5dd0
SHA1 b33fc753f2f0c1175d99ed16e06ace856fd8830d
SHA256 1d9a5d2933ec77a5565998114161acf181f23ee50c262b485aca398b93666bf5
SHA512 424db62fc88acc00c96d43e32154db2f78aab39d0a34fc82e16a541f6a3a61b187f8adc1a14f507c25c4fdb5571070b4d89c539d32594872eee8f2e7375edaac

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity~RFe596930.TMP

MD5 0e9b8b2ca18d6568ffb0bee2639fc0cc
SHA1 4a2fff3d522f3a6ed88281c53fc3048596aab225
SHA256 b2c0c0f0042fe0d2a05fc9c818cd6c13a8d2693502a23b649935426d2f5742ea
SHA512 435ed3f65a84831a685b42136ae96b3ab066785723d4619fe60c487473b698fbc31f32262e150d48616734f79a4db88588a8694b43992344db5b63ececbe518c

memory/8676-26809-0x0000020478970000-0x0000020478980000-memory.dmp

memory/8676-26793-0x0000020478870000-0x0000020478880000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3ef9318a7ce91719f8e58851e7b3d775
SHA1 576ca0becca5924e3ef7397bee36269ef0330c9d
SHA256 61c39b80730553d7a5a2992d0097fc70ea9608c0d5572df225fe53d37801c3e2
SHA512 92f1e8e3761350b8e5b2b52311fc14368f33b0da77eb7316f8e64d3468209ea00f30194be0a4bec7de95ee27d7d979255592074048226658cb47a0b2153ac29c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe59b7ec.TMP

MD5 1534b4a5b0fcad4045748d9188ae093b
SHA1 c7abe169a4eeb2248d77df87ed9e0f55c30d5e2f
SHA256 5590a4e18ae402da1c5b59569556a57308adb2c8e0029c20b05c04a9bb3ce460
SHA512 9c9048540ccbe79e5f32ef46c8c5e910959f48b8be57a7e8332d29ebb69e38477d9d91b3c798bda5f1acb021f834e1197e3b4f4340c2551c9c4588199e47305f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e8f6c530c1eac89ecfe2c1fb79428460
SHA1 24b7efbaad201cfe549b7415dc3b78e41f176a87
SHA256 23165dbe8ea9c3e6d8804f727c04280947e04b3c272d162c923df3b1b5dcb5d7
SHA512 340447471d7eb1ab906c00273598960ef0e9ac6dce60fbfb08a41040664973f401bdf6f0027c85b6d444a1342804b4af4702f609abcf1f3e81163301ee42da76

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8d823ee8e4b7c29d5bba2672ddd2f6fe
SHA1 539e06e4d4c093748a3cfeaabe58d5b1f2247259
SHA256 4998f068fcae8ccbccf715c75987f9205cec097e4d2079a7673b8af033834cfc
SHA512 8652d2070e0a113eb72f4282978a17f30af059235cc726e4a9a2e60a4859a04bb3b0b1537e7d36693a3f95da8ddfbbd25ba2ccecc76f7dabfafee9d935b56ce9