xworm | e1421af63da7a98d2105d24ad4967073b8465d42aca35764e3559bc14b4a0a0e

Analysis

max time kernel
339s
max time network
386s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
28/02/2025, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XwormLoader.exe
Size

72KB
MD5

b702273e39a07fa4ff763b7f4043928d
SHA1

b064d1ce34fa59cdb47298fe0509d62ecc55caa0
SHA256

e1421af63da7a98d2105d24ad4967073b8465d42aca35764e3559bc14b4a0a0e
SHA512

9ca303b8da77922c3cefd911aedb35405949a8481979b3a5eeebb7e9b36477ac7a1ac190645c9f4c333385867ddf4e468b397697e8f77cf25fc1c336b92cb89d
SSDEEP

1536:GMkLt9GR+92Bm9xqUbatmB19zIw6YjOA0ytp7oW6dfM:GDaSOm+UbagHOATttyM

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

coolguy12-30292.portmap.host:30292

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1976-1-0x0000000001120000-0x0000000001138000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
44	raw.githubusercontent.com
45	raw.githubusercontent.com
48	raw.githubusercontent.com
49	raw.githubusercontent.com
50	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000205fa1eff689db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\TV_TopViewID = "{BDBE736F-34F5-4829-ABE8-B550E65146C4}"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\Mode = "8"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\GroupByDirection = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 85281f003528d5dfa3232728040000000000232800003153505305d5cdd59c2e1b10939708002b2cf9ae5727000012000000004100750074006f004c006900730074000000420000001e000000700072006f00700034003200390034003900360037003200390035000000000010270000aea54e38e1ad8a4e8a9b7bea78fff1e9060000800000000001000000020000800100000001000000020000002000000000000000b70014001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000008800310000000000fd588a93110050524f4752417e310000700008000400efbeee3a851afd588a932a0000003c000000000001000000000000000000460000000000500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001f00530065006100720063006800200052006500730075006c0074007300200069006e002000500072006f006700720061006d002000460069006c0065007300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000008c6d0f00f800430000000000f8004300000000006000ea04000000006000ea04000000000040f8040000000000c03100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d006500000040000000508ccbeaf689db017700000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f00000021000000530065006100720063006800200052006500730075006c0074007300200069006e002000500072006f006700720061006d002000460069006c006500730030000000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe00000020000000000000000000000000000000000000000000000000010000005b280000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000ed30bdda43008947a7f8d013a47366226400000078000000	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\TV_FolderType = "{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.json	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\IconSize = "32"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\FFlags = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\TV_TopViewVersion = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\LogicalViewMode = "5"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\FFlags = "18874433"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\Sort = 0000000000000000000000000000000003000000901c6949177e1a10a91c08002b2ecda903000000ffffffff30f125b7ef471a10a5f102608c9eebac0e000000ffffffff30f125b7ef471a10a5f102608c9eebac0a00000001000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\json_auto_file\	rundll32.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1924	NOTEPAD.EXE
2484	notepad.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
1068	chrome.exe
1068	chrome.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
1420	taskmgr.exe
2144	chrome.exe
2144	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2960	taskmgr.exe
1420	taskmgr.exe
2864	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	XwormLoader.exe
Token: SeDebugPrivilege	2960	taskmgr.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe
Token: SeShutdownPrivilege	1068	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
2960	taskmgr.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2660	AcroRd32.exe
2660	AcroRd32.exe
2400	AcroRd32.exe
2400	AcroRd32.exe
2864	rundll32.exe
2864	rundll32.exe
2864	rundll32.exe
2864	rundll32.exe
2864	rundll32.exe
2864	rundll32.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2652	SearchProtocolHost.exe
2864	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 2032	1068	chrome.exe	40
PID 1068 wrote to memory of 2032	1068	chrome.exe	40
PID 1068 wrote to memory of 2032	1068	chrome.exe	40
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2160	1068	chrome.exe	41
PID 1068 wrote to memory of 2728	1068	chrome.exe	42
PID 1068 wrote to memory of 2728	1068	chrome.exe	42
PID 1068 wrote to memory of 2728	1068	chrome.exe	42
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43
PID 1068 wrote to memory of 1596	1068	chrome.exe	43

C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2820

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2960

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2288

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\worm.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef70e9758,0x7fef70e9768,0x7fef70e9778
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:2
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2308 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2316 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:1
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1388 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:2
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3148 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3436 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3552 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:3020
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140177688,0x140177698,0x1401776a8
    3⤵
    PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1144 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:1
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3412 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:1
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3384 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3336 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2508 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4044 --field-trial-handle=1220,i,1229502768702728469,5537381333395325326,131072 /prefetch:1
  2⤵
  PID:1988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:892

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\worm.bat" "
1⤵
PID:492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type lastmsg.json | findstr /C:"content"
  2⤵
  PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type lastmsg.json "
    3⤵
    PID:2908
- - C:\Windows\system32\findstr.exe
    findstr /C:"content"
    3⤵
    PID:936

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2104

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1420

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\AddShow.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:2484

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\lastmsg.json
1⤵
- Modifies registry class
PID:2016
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\lastmsg.json"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2660

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\lastmsg.json"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2400

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\lastmsg.json
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
PID:2888
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2652
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
  2⤵
  - Modifies data under HKEY_USERS
  PID:1944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef70e9758,0x7fef70e9768,0x7fef70e9778
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:2
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:8
  2⤵
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1468 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:2
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1316 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3732 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2472 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:8
  2⤵
  PID:296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3872 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2180 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2780 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4208 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3920 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4272 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4168 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4568 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4584 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4800 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4816 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4832 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4844 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4904 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=4920 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=4936 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4952 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5076 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5092 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5228 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6108 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=6204 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=5064 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=6140 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=6056 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=6572 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=6236 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=7304 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=7340 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=8408 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8856 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=4488 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=7532 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=6396 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=7876 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=7036 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=9860 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=10924 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=9548 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:6340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=11320 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:6900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=10744 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:6752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=11116 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:1
  2⤵
  PID:6952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8072 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:8
  2⤵
  PID:6620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10800 --field-trial-handle=1292,i,11627471076521376235,12412951504819275146,131072 /prefetch:8
  2⤵
  PID:6808

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1888

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1b8
1⤵
PID:5480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
cf9c2f860937ef409d320b78111a6590

SHA1
0572e7a11c9e818e9626e3e5438abf1728c3e0fa

SHA256
c15a955992021f4640e40f8aa18b459521458b904c2e0153d944f40118b5c660

SHA512
6e50d2894588f79d33ffd93e069d848ef9fe64b5dfbcbc1ed5379768555d5dfed4bc8d9e5cf9a58e56b14e73d80c49363a23966b0fe0ccd8c9e2ff08720618b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
c7af5ef02952c18f7150f6af0f475faf

SHA1
2acaed4dae2a1e3e3b7b2dfb994c106037ba1493

SHA256
5a90e3ef0bfd0ae913d36d23a21de8af6cd495c96632e165959ba5c3c84d06be

SHA512
e0d02a99ecb5dac63b6761a4b4da0a5931046c283fc6d83ca5e902128b22a3242e15eff5d7e14e0d480800b8be39e678c64c64913a0da8399ee36ff55a8bebda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5536fe45174801596de255fe27c2d0d4

SHA1
05baa28d81bb281c17b75acbb7ae736540128f49

SHA256
90b9795ceb7c6af3ffa197bd5721f1e3dfe5aa656a6ddb997fc339a2ae9dd5a6

SHA512
f39027fe582e092684d212c375706003a014f11836db1939781b69d01d605839205f04e133a19f72a6c4e56416e0003cd14793691ced5e2cbc499180a2caf5d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90d527567412c024e8a670e1bafa0884

SHA1
a027a84726d155043bf5853fe8ae86f6222c08fc

SHA256
52f8a62c658ab45e7cb746e78533737e7178d104f35a97ae90eea1b0718ce609

SHA512
7dcfbc4e4ebee3971b5e5780dd4eb03f6de3835c5c39c703cff25cec402011702689d9d808caa90135ce43a2c989f66738cb5c36f705858b1ccaf3a8a137a83c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
acfcbb7af309baf00a00f60f64b5f924

SHA1
a0f6ff47cbcaf43db677617daf1aad411d10ba5d

SHA256
22dfc8940da4368feee03c7920021d761bb3991f8b28f6963bd9efd3caa65a15

SHA512
4fc12ffcf3d4e0df7318b17e37a1dec6a7c357f3cfa55eb8230dbc0950d45cacf44ee3509d67e5d173d6f52437335e570f87a5197c01a24d20e2f062ec8d8afd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
60a70453e47cc2456bd495f2d206d4ba

SHA1
638cc938af44e5c69d92b68c40cabd854e98d50a

SHA256
51dd6b6f4de50811c0ae5eadf14d1bc6c494144f38a5eaae5e2f65508983bceb

SHA512
29d64c6a82582804d7a0277fa76e1d949509d157b221fc60f611797b3d1b2a08a4e319beed787dbfd9fcefd2c8e1542aa281423992e16f1ccd2c4268022c6516

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b13686437e79c70884bb2606488344f1

SHA1
54dab6aac6fce5330aeb601e9a29c18f71c33658

SHA256
49e9db6bf5cdbdadd2cdef7ab9e7e7bc42c5afa90240e277508537c17fd0b09c

SHA512
5f2948f900ff8989fd28991e02094f38decd38a08a0ec7518b892664bc5e4ef2c1e5b077e675610e1b143766a17d9726ce8937e1166338286b03c3c751ded25e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2010022d66855327acf209ffe766531a

SHA1
066c2a49e00418cd3105d2d85d2fc3379f93456f

SHA256
2b2a9fd2c6efb3b783e0577ed18367e253bbc03eb9959e2756daf37cf3020903

SHA512
e47bedc8fac2f35639fd8ec21aa2890926b584fdde05b013f8fdd06a3b4ae34b428cdbe816412e7de277a31458ec18bbf661b9909e2d8a50a2e770409cb06bd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1252472388d27d648806af53f805cd2e

SHA1
33b77ff1c6a43c95a583b2198f36d45e16ce7bd9

SHA256
085341a07cad0709e1b654a688d288534b8b42d6dfa95ac368b9545de3c5b393

SHA512
c1a608c48f9f64525678820b0371e95651d2ae7a6afb69bfd5c6db03308a9779e2046b993089adb88a7711ba106441cf401866a8febeb86a7c417f923903bdca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
33373b8097ebcbae94a566cd4e92cb53

SHA1
45dc120c9fa8cc9642b0d317f772b7504285516d

SHA256
8c9037e7ac3fe85739d7a4110d5dcbb958475d85a9fd086bbe689daec95ce1c3

SHA512
0d141692c2adf8e34f10ef02ba51f56772c9655bbec34168df0cb6abd421ffa720379418909a6ddf74429efa58fc515c59526e9b79acf0b83483beb6db7133b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21af7011159deeb698b093a4579895b8

SHA1
5a43d0afc1da53e7912a014c3b3b64a37171a0c6

SHA256
3c03bca32df5fc1754963b0080cf53273b6645a15f891f42ff8662d273671623

SHA512
d6f8dd456e0bb3847637759d89bfffa91e84ad16ecea65c76bbc779543d47e0fe64c64beff421e2e317f9b7d22c19e1428757f5826cdaf028838e38645a9c4aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c347f42530883b49aa5d00bd68d179e2

SHA1
bcc217e0ba1afc0fe969950fbe21ca4ec9c4a39a

SHA256
528cb1fb9f4d2d4c20c8e6a7aab353607ba9d9f1085b58e1595ae78608b1790d

SHA512
0be8ef105a6906bd9e285710de562937e0fa9935ce923089d953d222fc80eca1d4975fd0ef5092d150d9174e2035f056e70e33cb6f0729588bed234fc0d73505

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba0f533938bafed77a0c7db16e73c619

SHA1
7c852080b4270cd0de2b92ae3c241ba83bce57ea

SHA256
ed53aaf2bde30be854bc0ccd38aa87596d15959fd24ae9c10fb8e9043404476a

SHA512
d9d638dffc4a9610fa61643d81496042a85312f830a4c5ebb825a68a88a753bdd83db58fe320ba8cf0be1a99afeeaeee333ba7f96ad298c39da98007a8186173

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73e5afefe808b94434d36c36392e55d0

SHA1
156226252327df7530dd301c865b5c6bcb767b61

SHA256
03193c9ac40f465778e580b70a086936a3647f756951ab692d3c4dc722e20708

SHA512
6fa8a176a3c98e0d8001870b83af17f5ecf296b2a95075a6e1f733825948e8a3ee61dba90105e7fa27095f5fc5cc9e2e1927c2d2906cef10ba7c7b4574b74eca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e9d80f45fd129ffde20f9f9389f6910

SHA1
be4f54af04cd51be09cb1aa6063e8b91b1931c68

SHA256
143a870d68125a656b8c17d7dfdb48eaebfdc9f2aa43dcbfb8d6d001e539fe2c

SHA512
f207ec52dd1e58c9b70d32eedebc44fc6368e1712d6c6c27e5adac0ecaa5ff95d808e4e184e2babfe80aff002f0666ec60269c1337c4b061e87bc263c99063e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5cc05b24832bbe85ab165a39e0be557c

SHA1
f3f9ae8b1109b5f105e15ed360b0728d62c2588b

SHA256
5d9fb7d7b6e28e0f052f3a4af88ed205d5047cde36b36bd7d097f109b30682f8

SHA512
17ef7b35cebfac3b7f357d0a9ca61c0565163e4f94692c38cb77c549b5cd839dc60434093828cfeb8b00c090d813093d90e4bc819306e565885f00ddc0968fac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00e81f11dc77634eeef2a7efafadf216

SHA1
9eaaaa31fc0889d614da53b06722349b32b80739

SHA256
44b7811f8b009b5ed937c08361a77af376b6a4bf9ace772ece41a81e19415719

SHA512
09ddba563703e67baaba7cb3ccb3fad3342c2591076e4afa22e8978b8308000f4177ba8be4d602d1242fe01b62fdbc1eba7140675e4066bb41c18b42080eb702

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0492740752c44c7a339e3e3d4c141574

SHA1
00e2e41f6bd2fdaf2e03a08cd26eeca271e55afe

SHA256
16a6e49e1e83bceca1807d2e1d99600f5265a4a961a0d95243782f8fb9920209

SHA512
e5d056a1dd1c7e8979b3f4a059ea8f3d2d6e1138e3985036b2e82ec442f1ea4233679fb2b3ec6bc6b8eb75d51442eeeaeb0fee6f9c689cffd90fe65a29b994df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
202aeb13d32abf92a0a69fa5932e8673

SHA1
49e71018600b9bbc1dcfa7131b0c02b980d88007

SHA256
5b530ac257ebc9a5ffafa434fc9a824b94e259be12a70b858cf47125edf3627a

SHA512
c582baa92eaa93c8c156a18689d5b0f48c96248c3b93a9503909b9c63dc9b27eddd38a167c36914fc1ef2f156cb982c9a28a5fd0d4dfc70919f7dcbfdc4da739

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1161b44b537adf2cbc8ebe947ca0ed2e

SHA1
dcb82d03de8ade38a15164933e0d22918c13ad73

SHA256
8418c9b911ade7e9f681ba86a26147973cb7c222c2c2fb800e5c6bdc40e8bec0

SHA512
bee46e0892fa4aa5cf2121e2c7c06d39cf0acd514f718f11a815de460eee2a1f73175341ac9e1d5d00af2fc91b8073ca5e9f42c3bdd5ef70299079f3649a8362

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7895d49461048c023ca6111ac26b66a8

SHA1
db56c1c6fc0c16087d2ed8fc380da25f8c755966

SHA256
7f5259c90ac63ebc4499c03b2b59cd3ad97365b25e1fcf677dc135b963c346a5

SHA512
40758a6fe5348eab00034d42717e681108b62398f60ada77cd2a31ed5b7e823740f53f93ba34a043cdebaf441403c458b4a805fd2791c12b1b0b4afc49ebc0db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e98bfb058aa9d469a804dd7c0acd9774

SHA1
b7fcc3a7244a00feb91f006b366a649a71aeddd6

SHA256
99fbf60c1633f65dbb8a0d5ab94c7164e367f729a369a91065cabc7f6a699ec6

SHA512
fb1155bd795e0cf11c8d35d0942ead44ce613a34edbc85e58c50c916fdebdb7be73f48aee77805a97c657979d0fd65f535fcf578bfb5b4a0a1c63ff395f1d0fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc28416a8dd7dd49ca4044a85a313f86

SHA1
35ea6855fea1a4a173f0d60692798bb90fa403c3

SHA256
105798206e6191a3983b2004d51fe2554b4a641814d143eb527ff30eb2d8ea88

SHA512
0f8e8de1dc8624fbe61774e9347566a0593aab22133fedd36a58e0e4daf7c0c709deebb825f20ffe84fda2bc7ea9368360caf562f492536f4d5ae98416ecec8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aaacc3a6cc4243b455fbed355fcbe103

SHA1
162165ed77608a58f5b58feaa519e33781f02959

SHA256
70f61585d0b19ba2bff9e6dfa08c858a03b6be51e67d0ae92bdc57c84aebd60b

SHA512
63284f455792d8b7ba1f954759853cf709c4a9d3e64cfa04e3ce1f7338bc50380df46090754d8bcbc09220460e246014d50693e1f0135162ec4eb61b3ea59ead

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66914d7d2d8b1fa37540e404e382cbc2

SHA1
4e6b6706fbb978ac7dfd3561f86b5ede50ecdbeb

SHA256
4e5a2df5a24e883cfaec38ec733c1d8c2571744895f9234f97497a704a42bb36

SHA512
3972c737fd78ce7497c6132b9840c7e130c5ee41affd61f91be79a4629698a81a2e0b8d3efa3889a39abc3ed3d7a1127547fb264e0564287b6cc6b629c855334

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b26dae87802ea3d54f518a80af8943ec

SHA1
c0b050d6e961eb22dd01107166127ab795202c65

SHA256
3d8216b9bb63b07a95a75aa4e7687f51e111b97e2b3ffd4c87249e439bc1fae1

SHA512
a8e656fe0418583e3ce2fa1f376da8ca29fd9e54e0f4a0fe6f969379872ba7f02cf768cfe72cd0ed727cbcec41081b253afbadc01bfb480a21f5585d7895cb6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1bfe83356d4b7eae2e9f94f30da153a1

SHA1
2cd21acee8787874a73acd54c2ab67bd1b0af697

SHA256
eedae942942f69902c2058975d17ac762671f79d8a299a07cee41f310b69e5d5

SHA512
ba354683df309e75e3bd56b50682c2af837a9684491399b123c7e28ffe88aaef1114989ace4df44cf62a311aa7c4a1a77b215b85b7bb56b67573c0bc263c48db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ab1e052495d5c31ece62951ba5b391b

SHA1
01c9ac88858fb792d1caa418313837746abb4407

SHA256
d93873c63eb1d930754f34bff019b4533d7e84ba2d90d8dc242cbf8587441c40

SHA512
e832bf7af6095df4eabda14278ff5cff3dd014e6553b63f44fb896dcf3c1c59a118f01a5ffc4c06b0a1df6a87a38fd837d9cd3842d77b728c96b35fc5aa18a30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e4cb685059ee69c02d6c05c3135fcdd

SHA1
04ab59aa478be419e9012141ce6fca4e2d01e7c2

SHA256
8fdcdd03bef0ad6916aa313a34d8a9a663f4ee7ccaabcea51e39e161f38a5bcb

SHA512
c5d99829253f1eb926a35a019a0a3d024e62f5dc3db62735932536eab88ac47d7d71e48488ece36e6152ea314909f6b31fb75ee2ce7cf6f8cfe2af36f81a9efb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f79a3e93734baa1f20a1a3f860a0676

SHA1
7db44b3afb5f934860ccfe4e8ab0fabb75580ce3

SHA256
81c929dcaed99efa214d30c6ae3c55840721bfa3dce8210d4436409801250cbd

SHA512
9255c5669035f045a662b3f0b4784696c72e99ae8b0e879609e214fd47561453eca7d1e5c972c70039e1d4697fdfc4c5f748c2d0b0e0427aff076b94a0390a4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f50d4ce19169daa42bfa1e561040237

SHA1
5e7463d13451ec56e81c2a522c867f20b36985f7

SHA256
f591c9d78fea976b88f0a1311f9494abd390de6c81f640078b4e68b16f7684d1

SHA512
c8d2b7cf471ea0fb6241f367ebb90564ff4a9ac6d7b1bd5e5a068838a7fd6bade6888a95fb57b864b821ee3d37eebf1b3faff6928abd546bdf95ab5d338f216f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b86a650efb4ffaa41601f6c4bf803845

SHA1
426bcabc53fa2815325a03f926c625e1ca293bfb

SHA256
60b362a405429315088c71084c1f2a196a93d0f97cb8df83b778f623e02306ba

SHA512
e38cc1ac879c913031c11e23fb406f1e1c017691fbdca75bf220874757b41d28c8ccd69ca44faea2a79123bf2a799d50365325b5ecd3c4ebb00edfc7b267c7e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55fe7329465f592e9bdd7226b5324b59

SHA1
e162bff09ccdb6c30daaa1a16cd3faf29ea6eaf2

SHA256
b5f13e97bdd2e66356d40e8f4e59a4574c671d39cc4f7b3fd513da44c4c0fbc1

SHA512
41ff83a5ebe543994a07b3030921d62d545294329245eece6494a08ccdef45db1d121c5f35c3283a418a76522df0445305dabc97d3f6f2e5944e0878ababeaa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93f8344397d0db61e88b8421cc0e7d93

SHA1
cae51b2cf55e2bad68b66dde4ca75abe5346615e

SHA256
bcfdbc6cf30a3079b2717ec8b06c1fa6851bdc42f6ab53f5201cf1aebfe31679

SHA512
12f1c629169be67a3dd67f63a6fd63f1e4a6d6cdc68da15860928b114f29a1285b6521e059ea6a4ee1988f8a6241440afc86fba490b835d0232d3574450d72ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e833eb5a7844792d549a962bc5e80d21

SHA1
a610e663e82f6c1a86be5aa6cbfccac4d4660ed6

SHA256
1796135788c9d4493b45d4558f1b7c00075d6c1db1dbbd7629bcde1d9d35d7ba

SHA512
fa0b8949ead0e7ecf88db9121f0ba66598cf5f3efa228cbba7ca484940d7d732d0dd050360103a7cb935bd160af54e631eb1c02372ef9e44ef9ebe0e52c012df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bcfd9df0213d15cb80027ba0c030f1a7

SHA1
8fd7120e7b7e77794bd43ee8a50241da07745ec4

SHA256
5c32401fa52ae77657180bd783a393319e05cbff845be321ba4376a7cd17e6ec

SHA512
21bc40c5a5d33bd5139eedb79aa1b5aeb93a5051f5c1d8145f4e13a3b07ab37f838733f8f45e87e03a83437b944b7fc7d72b9f4a655b96792191cca9d9e3fe56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca773a3fa935168189acc124b820f949

SHA1
19b028d24ebcf728745c740e04956b078a75f20a

SHA256
3fafebe117ac2a35b86cee98dc2956d414f06134e165947191bfb5b2fe83a78f

SHA512
ddac0c0806710175a044302f900a311fc06b4f13f8326f5d0dd44384d95d7a28627aa1a43cf113749a2090dda525dd2b13fcb9b59e1db746781db9112aa02e9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9fac29da7e5faa2ec002d5fd1eeaad0d

SHA1
f0cc9f1a7dae59d2b952c958f910f0ebd72ded4f

SHA256
ee11e0f0210ee431222d3879981ae5261f68adb7b9639f43eec852b3875a8a66

SHA512
f55585681754f96a159589b148993a0961c2419b9e00256fbdaa88327f44c0f3b18a3691d9363bf673a921b0134ac4be59d79b6dd3b38c623827c229289a8eeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a553014ca7b1c347853ceda62978d1d0

SHA1
91e59a58a4ef78b21a9b5b03e4988a2443c5e98d

SHA256
a6b61bc3032cd7946a7cf7e5b3b393802fc116ca0ab3efb959d4e217ed35c15f

SHA512
9ad1f0a2bcfe032467163f1cb877864701b317038046a30bc0fff1fcca4b56b60c698f0b47918ecf50cba2374fb301148be43913e9bfce474f6ee213b4a1d9da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f485964fbd2a294555c8dff9196bcc6d

SHA1
7a80c0440cc77c772f17c774898b65aa8ba469a1

SHA256
5fb62b2e513925d5fbd9942824f09797cfd59eea33b8fc6bcca9e772f47e786e

SHA512
8bcf543dea37392f8e7940384f1ad5f1037b97bc7095dcfd4ef85e2680a2800dfa1f01970b08a1c164d98410f86698ef29c2f3f0f42a39888389bdf20179b669

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
016a14381d08d90a5b03dfeb35067820

SHA1
74711c81637e9f4fff0d995b74e897db1563c179

SHA256
d1203928beb29583a0c3c83de31eb7ba00bf149ecda9cb78057a140d06ec15be

SHA512
4e1a1e8448dbf0197097434294ea755183124e4d4a9c04ce63fc776afb74a83b1359983ef133b64253e570c8ffb1e3e8397654835077656757a8b2025136a3e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc033630851f61c097a55cbdfa305299

SHA1
ed0ae44791edea93d54b96df6bb6294751dbdb54

SHA256
e0d9e9440f695202650dfa8d9053e5d29aa718ef1d71df9211213db52758aec3

SHA512
042ee3495bb8f3877ff870f443deaea966b6e35daf34d5be28984618255c63e0ac4551772f678b3b292518119e33d573547ac3c7b228b15e26101e825bf2059f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90e70e280d38206ea52a8e3b33e65fe5

SHA1
df8d90840c9fa7f0956368c62266926293bc544b

SHA256
c3c2c5e307188f96d53f96d1ed4accecace72496b7bcb643523e8eb7413acf23

SHA512
d764b88b76d9669bd66351f7f69b89d4561f7d08ee785f5e4a84c638ab08d21b1096ad0cae627f451cd6186025297d065b9f433bef0d52d224536b118916653b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4350ac94f0fe8719fd083cfc1d5f482b

SHA1
73f512fdb1a251ac291621cdad34be3544ba1a05

SHA256
6e86c3e2171b479d0ee5b5eebdeb4ec3c3a0fafc00a0ebec06276ac4dcf1f602

SHA512
49efeeceb727d39d6d5395c71b084e90474029551eea104fc33d8a1633b84201e0d50f8bd036583e2776b55667cf48e8b4024fd5a84f16852b964fa9ff38f9a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
843527b836ecf50a74c14cb650cec048

SHA1
6eaf65ce9f3d3ed406806052481d5a8a627853aa

SHA256
c1a153dfe8eae2c60216b793571f62b0a7dbf472f8c644a0b29a3ed9f38ed121

SHA512
bcf555b53381ae632772cbd5d9387926bc0e9e1e7a9f0e171457ab3d57373b1fcf935c81548e8d824f2eb1b3198c654eb7afd8a1a4e48ca5b9117c31ad200062

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42e53d2175dc31705f214227633acfc0

SHA1
8f3f6f4a68bd4207fe52c095f72fe2d7c9ae4ae8

SHA256
4657706041edf0038c0d52d58dd520df335723a7697d0facb89084baa9bc1e6e

SHA512
0f2a1c1aaba52dc52e6e9eb33944c655e1728f311d699efb5d3d80957b1eef8bdc98e1696f3d5f8f839528e3609a43c055b181bf2f3933b70650b4edd660e37e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a52268dd8f6f1d7b415f7a0cb22f7d9

SHA1
2975614df2daca2f0f5b0c916e1a95124cf5737c

SHA256
1d5fbc5867436dbd419a62980368a7055937cda7333d76898280dfc3d52cc465

SHA512
7d146e909463278de992123f525cb933aaaf94beb099b1d352c0144b66e65fdbfb20e699ebb4cdd82aded72c1933a61f76ea17fa19873291bb820596d76f84c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d951133418530667b23ecd491a370f35

SHA1
c0098176ee3ad24791d4abab8eee6d8b680e088b

SHA256
d4cd5828aabea13076c72104fbec719682038d07019123e6953a860776bf8244

SHA512
f1518674da7f982c8b465999a5a2ad795fe8afc6ca8a9844e63b1b019ec3d2bc38bf9db0a197186df37181815fa442679384a5891985c6ee5ae38a760a29a9f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b20a7a28da793b82025afbd8ab9edd2

SHA1
71c98a93a66cd5b3dd464ea26888a0fdaf8d72f6

SHA256
1ff474162cb6bc41f82ed32da68f7c86e57261d557be22643746df3e19630b97

SHA512
8dcd1a9b418276066100bbb7ee217d8d317474231e2e474d4d48c8fcb48ab5879deaf28e80251dbcc20fc7965212c4f480f1de3bf69a49a424aa734b8630de45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a3d3bd1b20502c82d79c882e07f5368

SHA1
713e6ce1bdb23df4221d2156b6868bee67e07d79

SHA256
6e9023c80e75815a2703b398539572e4e10bf9b9deecaa4307936698bfd58528

SHA512
02233c05ad21fb69f28eca526c604e25fe7ad3864b0c093ee71df0784e15ddb578aa3fac9c45683f61dbfaced5019e188f54c726946484850ec62718ee1a2604

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
018aae400e83a4508c21459d83d9cb49

SHA1
dc25c03ba7623724ffdd81e7f57d70a203b61f08

SHA256
ecdc302f3b0e379c9bdf8d38244c189a566e353ccece659cb19536cf2a4459d7

SHA512
91e2ca1802098299d234fd1aa798d876b9672672f189f500376a40c3956dcbd6e3a86244f672aca22f3e7fd2bd0693fd20e47f9fc0a7f659b69469384b12a9d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b50b469c1c99ff9a2dc677a1157852e

SHA1
d5bb221a097ae6ea21731db6dcd039a9ecdf8278

SHA256
bebe7ce8a8f249bc956d1d976b698b132736338bdea4cd4590f16a5bc4106ae1

SHA512
218a933073f3bcf3000e8558aeb68558f96ae21472e430793802988886a9b440995059bc14da63ee0580009c509be0d4332ddc4f0e625ff13444b0f734a4849a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
83472d93772080ffd022c1bb464840d7

SHA1
87cd367f6392f546de819f217d3ddea83ffaa2cb

SHA256
145a944e426012b28169ededfbc8486b907366137ef93588e2e5a130fad0ade9

SHA512
ac67641e92d1e87a5b29cc99a0daca8a5017c1d96bbfb02178b896282879b1d8eee90ffdb0b7020222f527081615301079a3ef60c67e09193938f5ebc34a221e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
33fa9078937fe4b640b6e05b0198830d

SHA1
dc9b7116817c900b27a171a79d561a82bfb15ae6

SHA256
aa9e5fe73127306de435761e034633e24552601c1cf9f2bd77e1e02af3049e51

SHA512
0e0cf73233739d862dd727fa496c43bb67e7ab250f46d9d884d09fd5bc95579e183f067fc4c895a1ff651a76ab21677fe44343617225dd75d3ef6cd3e4f2d9f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2be95213b0ced18644529536a6f87ad4

SHA1
7ec5309d29d1fb6a0d2a89bae42214630d820d3a

SHA256
3575733b70e38a4d75a8e299204df526bcf20c889a008506f4366c4eea933c8c

SHA512
456a27736914941cc90290f5a9643e2fd83ee7900e55c616d73ffd22ff98c80507bc149ff0b7604fb4ec3a92efbbfea32b062fb381679b241ca8dde96113e3b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
14a83d0e5cd9f0e886915be9c10d64a8

SHA1
8c8da4be6a6570aa2c925005077bd9784169d4de

SHA256
e0e929dbb98c68c2490baea2e715a5a77d86a3a332fa442cbe697ddceca332d1

SHA512
1eac0c4d394c143c17015d59868678795957fb6eaac16c9cfc4304b365abd082c32f92dcc076292b0ecae697b52e6c5143844bc86ff624a1abf3eb2c8630aedc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0c30454b-affe-4a67-8d23-6703b811cd07.tmp

Filesize
342KB

MD5
2ae24adfd22325ba015549c7a9497499

SHA1
5c5ec91cc9675410c38a7adc4ef6cd82055a9eba

SHA256
925c8c13e602814dec0d09068f8bf9eede55a1ac88f9f5c42d66ca58f0ce293e

SHA512
88c0245a0d0da40931624315ffe72b860c989d31d2fc9944dc886a0aa1ac2d2ed86362ef479902cd846e0e70eea6f972a02d3653fc34dd9bec2d6bbc99b5423a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4af14b992d16a9097ddb4009c70b96b9

SHA1
2606b4a060c324c2048ea8d54374d4f2402886eb

SHA256
6ed45c34d54bb5f6e8b2a14aeb78406c243ca3d5eecd7a00089957e8c98dc7ce

SHA512
3d7642f60e8a54040b80872747cd6f37017c77ad3ec3f4370fe5641f8a0b76ffbf59f6592f9851d35ee192789b525e2e20d9cabb4c52f00cc08ea3bd94fa8987

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
cdf638ef15a03cf4e838feb124ad821a

SHA1
abae77d2131dc03d73381be77e26cd7772a1003f

SHA256
31b04549af3a41eca592d5f30e84e06b31fe34db17ba67e0c955e9e197f3e357

SHA512
bd17f053b87211744070f5c5630a34dbe96ce6d103f51102fa87aa646cd58d03489bc1100cd017de4eac5bf10776e3a0ec797cd4678d27a328e554cd721a91f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
d3c5df8af504488eb114957319071f64

SHA1
c656761d7323e26e30b372bcd3e61d1ebd6c79d3

SHA256
838f8be3d56b6f0a771898fefda7433f2a9c7138f25c7343858057a6cb32b29b

SHA512
2f0cff1eaf6a9d97bff7ce42107eb99322b79a95476ec265cd712e9d6f6084b88264e171c09d6374261cb74ab04da747df91e09f803bf5c208e1ab0c22a367ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
ee458c576462501c24c686fa33f18aba

SHA1
cb4a9dc7b3c52f336e88c021af0cac280926dd0a

SHA256
e1c79b14eac2491beece3c695ada02114397e4baadae0836a0c0e98cc8f50241

SHA512
68064cc7726877d3ee65921339b9ae613b90b29b8d3b362a694720e968582a6244a89e6a4b1ec8cc636a50c5cb38c51d6f1205dc355eae4542dedb3fbe4b19cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
35ffe4d9c8b7d48f764bdaf545b28b1c

SHA1
b65c8cce0ed6a7baa64d98951287a2e74c44ce4c

SHA256
5d1649d64ed15dd26c22531c6f426f26eb991f6c69370c4da59b5cbf47fa710d

SHA512
507dfe578d5a7dae4753c9eda72d8f12e89cbd4a48453ddf305d48afb2cf8a9367741d281d2264a189b4c0d6db1661a47a5de20300abe81c8efcda879e07dafa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000034

Filesize
28KB

MD5
d941188b9b59bef71f6e45581bf1e79a

SHA1
6e94b7ae29d6e57f671589dc705db04d54212521

SHA256
dc07053ec83b93bc1b877fea01a9117493077e7107bfde0441b53e523d34443e

SHA512
e74cfddad66b90aeaa2c0ba905ce05c30f7dc23eb18c69edc13cfe083f1d12db336acceff22715650a5959718bc723790b0dde4deda698d74850bc25c1426de0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\135a9e73b7a29232_0

Filesize
204B

MD5
f543002abb0bc5fd57628dadf766c256

SHA1
5fc48983845bd21f7058f210020ea9fca2be181f

SHA256
8c6e480f7651dd928f0e37c23f08979358c91cf3100691db67e917ba11b7fe87

SHA512
10b20bf272e61ef95bfc1b4aae7eff87b958a54cd52e67c3321b9e44010dee6f7366dfc4f496d977cb4c0ab7c3f48eecb8a47d84d6c34a9f1142c1f6ead1914e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000008.dbtmp

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
4de6dcdef9f2260f86c1aeddb4a696a7

SHA1
5ee877ecbf8a5880c81d443aea8d578e0d459cef

SHA256
9ae91ec3580c8d6a14bc8f12ad13a55a9f77fdee5c16f81bac27301fb1e04a92

SHA512
2976ea1661f40f135338ea79b459b9f9ba1c1b1b447623425b59a826e86e065e951d76741f385ebd3fa4824ff7089fb6ce0013e216bde4fd8960747b0ae727b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
090aeb3004ff05279893edf447848876

SHA1
fb1b8bf66a828119bf342ecce9ddee7ff81cef46

SHA256
3866fb5cd88d9e0c0c8644900d7a914cc3d2c6a500a1da130c61c221044958d4

SHA512
b0ec9b32db9f9984e4bb48e91240bc6e705a0b40fd5f1b254d2adb5cdfd9f329c53893bda00a588be88e7a4b74b801b26c42719350b20e236173ebff4bd9e8b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
10c62d9e05552dfa48ddf5875df611eb

SHA1
f60a30379d47b9580e1d0d5a44d5033cc08efc62

SHA256
21efe53c67416f442be3f91091bec72016f1a257f086941ba0c88113b723ac74

SHA512
97c31127291b7eec5b211aa7fec5c4abd3d4e5039203d9662796c229914d480acb9e16e02c4f8d72be149b0c76fd2220c1994a33e936fe26fd3ae2dc22cc381b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
b9f30ef0042d50e9df7251f7b721ccb4

SHA1
a6f493d7a7eba70b4bec3b46e8e3fd74658e8046

SHA256
f654b50d97ff74f71338c4109aa782c2f070b39c4bb00118c24c47472d524649

SHA512
da4143214489c1a28964e35b9836aa3f4c30e303a9daae02473b99f838158c46e5f97b9f136addcb3750d0df3a914a4a7153eef40c78ba40f46ab45013619e68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
6f120177da2c780ddb308153ea0ca09b

SHA1
0c0958d2a8939286aa427932876b477959300648

SHA256
99ba37c3c773a1f77a63f73eb0e40d4c263ab7a082f90939a8dc7a1c4c21b43c

SHA512
53a74662a1f64afa43592e07e607c7606a68c0768a2fb6a28c187a1b237feaf6a90669ae9fbf068e617ef77e8f31313ce50e5cab900e6f47a1782218b0fa2014

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bcafaf048a39be3a34480b15357e939c

SHA1
82fee2b9a506e4e5b2dbaaffdc055fae76293ece

SHA256
fc00e7e6462b4541034edc585eb4064b26d3d0a29b2b43b343ca9761627cec34

SHA512
0137601841f5205a63fc3b710f47639d8f04be277de0471e540501fd24c4d3584bdae6f04bc3b9a178972de1b8da4b53b41bb64d54ce2f86acd38156a089ee98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
198087a161682b356623ff52472435a2

SHA1
7ae9969d3f5474edceb9e861f8b5908f20fd10af

SHA256
54dd79f5e0575054f6b4f1ddcf5f515585ba4a0d924f54e221331956cf4c75fd

SHA512
0bc765f9c943adcdc3081fca4a26bc171bdf08129d7488eea972488a6680da21b2a0efcc35956a857c0015cfa3a96d5563908dae60b095eb4c14829c50fe5050

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e4163d5372c7e92c3b3bf1b72bb256c2

SHA1
e6b494bb477611d86614fbf19c851bbed9020672

SHA256
39f188f6b470b9b78343b3eb9d6747a81322388a15269c06e34e0567e7d4795e

SHA512
6dbfde40a03ca2262d1cff335a4a83f218881e08193f1c9832ce16c7b7fb7fcb6bfeb23bd0dd80295c99dd8f22a275147055a1cdef774e853ed3b07f0f4a2890

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
66c5be30be38f7610ba9d67c57f7b66a

SHA1
24bf39271a378fd709deb2620ae1a2e4ef8e488d

SHA256
cb6d82c81faff52854d867aeb4adc91912d8175450f417a8b194bf01c8f656a1

SHA512
8c1b60c8c860e193e9eb9eb54e38aacc32e52d7d13eba8efd78ae401fce10a1bd3c5c0359fb1d5fc54668bec5f096fc29442a491d43bfed2742c13e80c26836c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4ced14928efac1536514b6ca19c84e6b

SHA1
63409c97edf4c6da0527451bec282b4bfa977a43

SHA256
b6824e1273c03d232768adf58cf77a39d553277cf2e2f742e2bd118ed0e139f6

SHA512
8a5ff727bcabbf92bcc32287e91aadb777fa7ec01cdc07462baadd35a1bc057ca2f37cd0bf583c32071e61cdddc3087eab30ca4338dbe3e2a54ec796c02b162f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
247B

MD5
c7e086e5c94e6fb2da7cd9554aec0e61

SHA1
7aef7655f1ffbd31753f575181b6f0212dba6507

SHA256
55d67850ac1d3ed804ba3413b2de26bca35170e69b8d3a9eb5de783bf916eaa2

SHA512
b8fd4719645416a172877c1854bac395d46a3027fa6c05d80a3645b27c5e5ec36ec1a0290921365d19b8a07b4ad5ccfde863b30d619a7bdb6eabeb6f61795cef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000007

Filesize
90B

MD5
b6d5d86412551e2d21c97af6f00d20c3

SHA1
543302ae0c758954e222399987bb5e364be89029

SHA256
e0b2fdc217d9c571a35f41c21ed2596309f3f00a7297a8d1ded05f54f0e68191

SHA512
5b56ae73a61add9e26f77d95c9b823f82a7fcdc75eed64b388fb4967f5c6c42cb0796b0b99dc25c89f38952786176c10d173dec7862a8a5ce5f820280f72d665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13385230601084200

Filesize
2KB

MD5
0ad4d9772b11b9afa365f613b80a4f9e

SHA1
3a69e5a8f18080e09b846620f1003f902a180973

SHA256
c9ae5777eb715ac44e4a360a8276060be6edafaa0889bfc8ca283faa81d5a51c

SHA512
fa846df6c1c2011a854301d00731e688bfacd1018e5a0bc001d0f8e1b2bf111cc1575f26d16dd4bcc2d106f764efbed1c9cbe86324db4008150d09018c86a948

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000008.log

Filesize
72B

MD5
cb16c0ddf8d9aa64228bbe90ffc35ec7

SHA1
2d5344a2949daef81fa4b3011475ea445b2286ff

SHA256
2dd20ab05571e10b0d7fde13f304ae07db96a68567051c6976fa50443664cd17

SHA512
3299b7d2299e4c5c785203f3d39509d0796948328c6a81c751371f3d0d30b08dc819a31303824689d1833941cf592d1120b2e832825027cac4b8dc342ac42111

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
136B

MD5
63e424125802a339dc9205b59b700d45

SHA1
1ffde5426db2d2ed5b96ebe3877243b17af46886

SHA256
3da6d1820d3e8a955dc1467f26b2e0d99d753e99302eefbb5f12db24f7caf730

SHA512
f0e60cb2b34645901397fd2ede78660a09b0bf477f369b23b4b1c432826808c3bd730e7c9303434b09d08358aca3119b89bdda4742ad9c236dabea5595ffa63a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007

Filesize
107B

MD5
22b937965712bdbc90f3c4e5cd2a8950

SHA1
25a5df32156e12134996410c5f7d9e59b1d6c155

SHA256
cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb

SHA512
931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb

Filesize
1KB

MD5
e6305367badace56469a80ee5699626a

SHA1
43c630767f2e7b53541f007d12fc152bb0dd6b42

SHA256
c6bb8753b375eb83740a84710049bc0bdf3c9a16aa79089976b97c8e844378fc

SHA512
368a6ffbbe92d1ae144e140f3e9202116905656d295e95fec8032861b4dd7618df29c9c520981078a9cee35e73f22a204f39e531abcb6bec5cbabb46c420d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.log

Filesize
2KB

MD5
90665348e754e2e24efebdb080703c9b

SHA1
0a212ea41a1453dee445bf3f9773711e0cbfe3ab

SHA256
cadbab74d5731b950589e2c1430f3c0bce3adaea5896690ff3457012a9de30c5

SHA512
9c724f4d0872d546eb9a4852297f669f0523bbce098343ee9dcc6bcb4507508d884d3343b06ac3ac53ba82c4d753899a63a7aa5a7b8f28d615f30cf71e5cb605

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
250B

MD5
e4d47e22c43961f74a1897d792a3977f

SHA1
f1cb4805629afd627a6f3330a03a3b44bced435b

SHA256
4148d3bed231e35cc55c9cfeeeb4cd8d4f18a4f55eb728133af706344f4d3d55

SHA512
4c1dd69e8c23b20078a5ccac7cb003c1b94cdc8a6fe0a63f7a49d517a5135bea8ad8f470b061be5634fa68ba8b16d104b46cc5db781bb59a22ee4d7d4ec7cc7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007

Filesize
250B

MD5
03d881fc5a4ab4013bd1b30988abb179

SHA1
9ad861569715575d7b676e5683b14dd3cffec304

SHA256
5da7b30f55f920166ad821f532fb95bd11546bf63a228fc41357aa122fcaf5e8

SHA512
29ab8ac2c642a83086266f88ffde8d71c96cd0d98812fac526e0a0adc58d8bc7f99760ad19a71cc38c3ef5edb9ab9d642ef6b665bf4ce336260b0171411e26f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

Filesize
128KB

MD5
2b744811e7588b3e0e40bc8f0187b09f

SHA1
77df0d855bafadca3db72ef9c076cafc67a14402

SHA256
af277d963d315cd8fdf137f1d3f27cdd8ca09ba01fcf509e62d7698a1cd801c6

SHA512
3bd64f0c871b8b5d64e00deb234725a97c052ea1234863e8b16853e60393222382a8c66bea69c29858f0b470e5a9dc5eab865dbc376f76d8fde67825e75928af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000008.ldb

Filesize
487B

MD5
2a4ca0358c67c67ba3e9985b869fed28

SHA1
073092fec527084d01cc6f1885e6489bdabe6b3c

SHA256
bb7949ce529e241b46d098514f829dcb6fe99aeb68b784782aa0cf34c4104b17

SHA512
f502ba1a5d30dfc0e82bae895c435191eadcac4989327de4e2b48bdcc5b3518df00269e7cea1776e435354d08d4391aa2de03fcb91430c17114abdf710cc0ba5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000009.log

Filesize
236B

MD5
367f3ee8fb111512dea6139eb9822fc0

SHA1
90c2461d92a92d6758cfe5c15021c229b8292956

SHA256
48daae5d0ad90ae5354eddcb2178dfd4265a3e84449aaa8fa55b957a24e75a8f

SHA512
93e085bb4e2e09ef59bbb10e6759ee55137d34af64c44a82ec88ebb1547a082e6f17d07d32cb28175b72310dc0351f9b4c6d9cd1608f2886b9a2cbe72897b002

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
249B

MD5
15c230e99a70dbd961ae9e6bae389059

SHA1
4fe756fadea16693aaa4e6f20c0fc7cef7a4e1d4

SHA256
f8cee9148e2202345a5a94ac64b3a22d14c2dd298b87c70159b4add1a8df54df

SHA512
e685f0584245bc148ec681fa43eed651ff4a150801d4527d73a015e660da9b4acdfd04b7b202327483e0e5db7af05800d61efcea3dccb7cb6b2bfb386db25581

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000007

Filesize
98B

MD5
61c22786fd625f0e68e668ce2f2f4069

SHA1
5e63f1ded1fbfcdb004da5f4bd9b9d3f41eeb0ce

SHA256
2c0248caa9603b6782ba43028b036445216782ceb6c3bc93f1105030f828e396

SHA512
7fd9cc680048d8e4730cd360836979d4f0f54666f9cea87018e0b6602ae707503a62b84bde1a701410694e434c26dc2faa85e7a2d54d989b6464f0161248febc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000008.ldb

Filesize
318B

MD5
407d61f319700734889ffb4d0bc03dbd

SHA1
0946be336fbad7aa6aaac38719bfd7fc9e562377

SHA256
f5bf25b2093dd9b87b4e39f4706b7e54fcaba968afb2f134d8b157e361594c67

SHA512
644939b2fa00ee2f0b94409b5bc3123c1ef906f6ef8aad5d83b7885fd4caef9dd6580f577097c0c5914cfd9770d8540e6084b86fadc1b6e9229a7a97662bad07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000009.log

Filesize
34B

MD5
fe62c64b5b3d092170445d5f5230524e

SHA1
0e27b930da78fce26933c18129430816827b66d3

SHA256
1e1a9ca70503efd8c607f9bc7131f08aba0476d75f2586dadb4da5485a5315d4

SHA512
924daccfbfb0c0464b4c5fd769e01a8f2e96fe28b635aa27ab4cd91766b05b03bbf941af14c017436107673f01bad815ce1fac2a649e745c76b3c736994b4fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
249B

MD5
859bcea7d3347bbbe7f221c5f95f9a45

SHA1
67b99b6cc2250c03bba96a9cbd182937ca45f014

SHA256
d7157bd4257f6840e112204767498e08cff6ac9920b2835d6420bb9d7626e134

SHA512
adfd1b41168871d74dc0b030c9af7d993ec59cacb038f856f8014c30eb81d37a2b91f9d76aeb83bed44c3a34d7c38ffa75f968c54a7d8e648ff585b7e1feb6d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007

Filesize
118B

MD5
fb45dce6bda278c7d3d13b393437b975

SHA1
401dc4c3873fdefffb73d4ace2c33eba4da6f031

SHA256
39ec38c22a26d9b457a468bde28023cceead2c76c189a2b9ab9cbbfd7ae62607

SHA512
966ae0e1c36342af2abab8e62713646fc4c17d8013fb160fcd58891e47413b89cc5adce1ce52195e7b985c3e3f9092f63171dcb7a1fb572195b008a88d2b5aa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
342KB

MD5
52e2be287cef2ddf44a1f4a22a687c4c

SHA1
c83830dac083d69e4cefc7db5d15b2483e8981d1

SHA256
c4b74fb123c1f1ce9fd07d29a743fa889d2352e88e87b92ce2b7fe14a66ba57c

SHA512
6e08bb8c168dffee569c208d567da0f2fd9b8e987ae050ca1e217f9d8a8cb22a15b300396f890e2019b0b7f15f5d9598fead0e318633f7326059f8bd7fbe1b84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
75KB

MD5
548a9e540fdd1b2a44f72f7647417803

SHA1
0076621b19a2aed909e210d591c5f0bf63837614

SHA256
5ce7bcd508412b69c022a2636dd4938daa62fb6d81ea8112936726a34a54329f

SHA512
c740bbe2d944010c24696511dad9f90eab5e0d1d37b1430767b8ab8c93b5098e50a5ce2b63efda44d42d2c5f1b8faad9762e3cb8fbb00f61e9c78740b1ece80b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
90a90bc0520c3657f644e142f4ff854f

SHA1
ab70199773a0c7f1f567d5d65717a691795527ff

SHA256
156a58f96cc5f6ff7823c4d94d73f229ef6013bf23334fdcae459867f6424e2d

SHA512
6cc84918c9a243a8f2877a9b44af2b067f207c8e110e8c6c91c48354c39cbf21d0f90d2d9058a28b6a2c5a237ff112062f371c9324118dfae05bd7ca2751be3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar15C9.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
44710d2aa0e7c0f31c80ffa7b2cf4c9a

SHA1
efe05dba310ddd8bf56a76e946444fc0c0ba2458

SHA256
94f1482d8d57b19f0c02c16210aa118b70bc7f511ab1bc7f53271d597348ea55

SHA512
84f681460e28249fe4eda28e69334e1c66798d793990e8abfec2706b8b8869ad435f83ae3f908a2c893b7974454700a35891c12a561657d4724ac23df62652f4

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
12ad00eb3e0c5af2e45ecd48d9f1ef9d

SHA1
1303d9e35c314630891a5d7cc5c5d5cec439f5ec

SHA256
b070141618f602eef4763719e62d04397fb328ba39821fbaa8d930bf6b533dcd

SHA512
4f41601d459fe5d7afd48a45b70b74341f37d375bebbc868b0d05394ddb3d0aabbb8b82291ac55b2b119471af2f7e809d4117c72062c65a957d58ab9e5550825

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
11d6ae3f62257989195e14507b2e72e1

SHA1
b10f0b1ccb75bfe7009d13223ed75c1ba5986818

SHA256
785bafb5f3995dc14ebb8b8a58bead8a57110f9735b47f3927500e74e66df511

SHA512
a935166564af4e770de12fdf3cbcc32a671cf7fe0163f2ab1f928e8a90f121ff409909ac75454f45568430e318f21560113fc467b07e841f02ee54b345300744

Download Submit
C:\Users\Admin\Desktop\worm.bat

Filesize
1KB

MD5
896083b42f57bb3fcea3ea5075487efc

SHA1
55b5d97e6a348f49c9d25f4aa0b1c4a5b96f628c

SHA256
a01505bc7dc2d9cd4cb509be2afb839a598a31a91aa83ecc92aaff8eaa13258e

SHA512
f4d3d68a17998b0bf77d7837d3deec1f88986b40b37446fae3aa7fec723a1c1a62a8803606e025f59bffcc78154ced207102a3a7ae3eb045239d8db494e78be0

Download Submit
memory/1420-341-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1420-343-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1420-342-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1420-340-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1976-1-0x0000000001120000-0x0000000001138000-memory.dmp

Filesize
96KB

Download
memory/1976-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/1976-3-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/1976-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2864-394-0x0000000004550000-0x0000000004560000-memory.dmp

Filesize
64KB

Download
memory/2888-455-0x0000000001490000-0x0000000001498000-memory.dmp

Filesize
32KB

Download
memory/2888-446-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/2888-444-0x00000000013C0000-0x00000000013C8000-memory.dmp

Filesize
32KB

Download
memory/2888-461-0x0000000003220000-0x0000000003228000-memory.dmp

Filesize
32KB

Download
memory/2888-438-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/2888-437-0x0000000001480000-0x0000000001488000-memory.dmp

Filesize
32KB

Download
memory/2888-395-0x0000000001B40000-0x0000000001B50000-memory.dmp

Filesize
64KB

Download
memory/2888-411-0x0000000001C40000-0x0000000001C50000-memory.dmp

Filesize
64KB

Download
memory/2960-7-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2960-6-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2960-5-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2960-4-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download