b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e

Analysis

max time kernel
149s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

metrofax.doc
Size

221KB
MD5

28e855032f83adbd2d8499af6d2d0e22
SHA1

6b590325e2e465d9762fa5d1877846667268558a
SHA256

b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e
SHA512

e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34
SSDEEP

3072:zVIfFuR6AqFMa2fL3NtkWL90y7K4mlQCww7zDTW6HNRn0nPmaw:zVIf8RsOtZclptz78Pk

Score

4^/10

defense_evasion discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{2B60AE7C-13AE-4E63-A515-800D2A9FC8F6}\8tr.exe:Zone.Identifier	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874074927780334"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{2B60AE7C-13AE-4E63-A515-800D2A9FC8F6}\8tr.exe:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
5316	WINWORD.EXE
5316	WINWORD.EXE
4676	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5316	WINWORD.EXE
5316	WINWORD.EXE
5316	WINWORD.EXE
5316	WINWORD.EXE
5316	WINWORD.EXE
5316	WINWORD.EXE
5316	WINWORD.EXE
4676	WINWORD.EXE
4676	WINWORD.EXE
4676	WINWORD.EXE
4676	WINWORD.EXE
5316	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5316 wrote to memory of 3808	5316	WINWORD.EXE	80
PID 5316 wrote to memory of 3808	5316	WINWORD.EXE	80
PID 3788 wrote to memory of 5360	3788	chrome.exe	90
PID 3788 wrote to memory of 5360	3788	chrome.exe	90
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 2800	3788	chrome.exe	91
PID 3788 wrote to memory of 5000	3788	chrome.exe	92
PID 3788 wrote to memory of 5000	3788	chrome.exe	92
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93
PID 3788 wrote to memory of 3744	3788	chrome.exe	93

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\metrofax.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5316
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3808

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5664

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:5752

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92971dcf8,0x7ff92971dd04,0x7ff92971dd10
  2⤵
  PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1832,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1372,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2252 /prefetch:11
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2372,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2348 /prefetch:13
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2776,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4208,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3820 /prefetch:9
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4652,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5248,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5264 /prefetch:14
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5500,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5560 /prefetch:14
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5604,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5268 /prefetch:14
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5328,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5556 /prefetch:14
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5896,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5288 /prefetch:14
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5352,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5804 /prefetch:14
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5568,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3580,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=212 /prefetch:14
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3440,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3532 /prefetch:14
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3632,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4868 /prefetch:14
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3820,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4868 /prefetch:9
  2⤵
  PID:5568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5360,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5340,i,16439425616816841045,13781727722965252199,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:5744

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
e2c88652d0cb3ca5be75877f24726c32

SHA1
262a84c85f669b443621a763e237231330f1402f

SHA256
65eb33a2130a1cb8063a74327801f7d7a00abfd0abb9456593be43988177ff4f

SHA512
3b248611a319ef69ab5baab30a74fcf64a0c807b9338cd694f650c3e583a837ee9a2a3bc3275fabb6ce7a454f10260370c80f72cb9df5b6f96530ba91a071d40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
964fe01e746f4dccf95ab86d92279dab

SHA1
834688a5cdaf907a1fd46ffe2909a8b0f6ad9525

SHA256
e9d498d4ead43cb35de5a7b60fc1151967f368c1ca5b7945f73ad94c142f7152

SHA512
e7577d14f2c43321723cddf2e7fbf7294b97b86a6e42db717ed185ace515a256fc9aade2366860e6586648959e511753aa7fa7eb17adff64b912eab6fe8324be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
348ac79fed5272ffdc2808e209691834

SHA1
bab4209f59a0289410d4f1ba0e108abf01055b6c

SHA256
96a74647e0134f07d65b8e86b89e557c1884d343c4dffcc3a7a6acbaad97caf3

SHA512
6922af46b9c8d00cc88075121660fdcc49113da096ab47e837c4fa6d8178058e8815908f07f4f36799b3b03dc258d9786afd4a122d1b4250048bf6f5c1eea6fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
215KB

MD5
e8518e1e0da2abd8a5d7f28760858c87

SHA1
d29d89b8a11ed64e67cbf726e2207f58bc87eead

SHA256
8b2c561b597399246b97f4f8d602f0354a979cbe4eea435d9dc65539f49cea64

SHA512
1c15b65bd6b998254cc6f3cbef179c266663f7b1c842229f79ff31ba30043837c398d85296fb20d3a576d9331fee9483ca0cbd06270da2d6db009bc454aee0c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
10a11d0c5ec442c71e19dca8865f1fef

SHA1
672d8437eba8482dc55db08c5329856b4e26050a

SHA256
f80dbbacf90a72dcf193b9005b3d6a5c4e6dcfe8441eabcacc80c53f3a10ea46

SHA512
1785b5f8a8d447d6379b595f3cd1efc9c41dee288d64794683b414acaeb16dc100656ba31f34722da3d86d87d6072441f302dd5da8ba6036688d28845273d12b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f8cfa18f0abf0dd4a87aaea06a7106b9

SHA1
3b8b327df84223b658542bb9817cad25804c554c

SHA256
bfdcf5a0a7b0026a658f3d921312ceb518e982b0e1cb9888a0c35f4505fe8c18

SHA512
8b8910c40dccfa2b45db3d5d21574872a5e3e106d51bd899068ca8ae68ab1beb2d3f7622e499414ca9c47cc9a7709c0b13ea3cd81105d498f59886e2379d3453

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d58d0e54fcbf579fad57a1be36443cac

SHA1
b8d047f9b074ea3c3536859e1cffe1795a4daefb

SHA256
b7c12c62986827d700373a7d3ceed3d05bbf0696e32abadf6f1ad04d8f136eb2

SHA512
be4cbd77c89241127e0ae8fa8fe37a1e96377d64614e9cda422622e91cb8fca078276fa667f510b380d10372c601b7cd9ec932d46149a2b049d8972cca7060b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
29a149bbc6d1cfb5041372bbb00a4c07

SHA1
51703e76be20da379cdee7af41b928fec7632b51

SHA256
d779c5d5a44247aee962c979330e62a99ad534ea140e409cda62f670d904912a

SHA512
ac910ad9a028b7305857ba33753c84f32b6e19d1b56edf94448e8dc4eb15ba2433da78e331549086aa057c5b2d6d751fcaa2a428d64b1c061dff9a467dd66e44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
512a2366b1907cc133b118daf261999b

SHA1
e67ec383178365e4a0076db5b94182fd71b4ae0a

SHA256
0d3aff072d5032263f8bcca445c02eab3f8c38f77f3e5f6d2624aa5456eb8a68

SHA512
566c1069fc336da364591ea8e665b86b16fe6ac93481ba0c64499bbde637ad60b59159d51f4659121858959c3dc019ad98b4396f98a24b294cefaa4d88332b66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3582383619ab23b1048973f241799797

SHA1
e152ec0133093dc22d64166707643678e1e274b0

SHA256
50fcb7853c47e2207a8208512bb40f278f554cbe4f236d17b3d616aa6e475d04

SHA512
d14a58c2b332d5a4ce63c9945cd2e8b7dd6cf7ad23604e6ba1d2ea4812947e90f2202896596399892cf40edd74d98c68d08398cb388f383efe412a487c718a3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
87de00e9f072e04134dd9223b4702966

SHA1
3d57137821f12829f99dc272cf89c90894dc9ac5

SHA256
fc5f47e5588e4b58afd8a96fbd59a06d361ec134a7d8daa81911913fb8f38a35

SHA512
8d92f8b0851cea89f75064dae2e82911ac77996b375b6ed586de165d3f67e1aa15a022197ef034d08ab05828c3cd67cabcf4708659d1a5b29e98ecc47a9e5655

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3def5fe3fad830829e1cdc55261ea726

SHA1
a338e83a940b57c8d5ce15bfaa442ff1f680646e

SHA256
8e31b981af0544f5d4aff8d1123d566607a78a0864c79242b92b0d8e92acc056

SHA512
836e586b34c40f1567bc17b34628006a386ef3614536eb45176872653f089a1a8891fd4b2dbad5bad00b1405a12f7b927f570e4a67529d5ccc258b99815fa3ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
0d0b79afb3db3243a445f0980f2c13b9

SHA1
11fe597880ed8935625aa86110ac56f6126ea55c

SHA256
e91a24c5e609b4a3267ccf68399894beeadb876b593a775ab6fece06cabb7edb

SHA512
0587d75d8aca00d8e805b5631aef15844f797b99e32df9d89ea712efe80d4398b895213f54188267826d5489f2ad6356d9e66cfcec69de83e9a7d235dd197ac5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1a0d03b1ac00158176a9d5ed2df0215a

SHA1
68f3bf43516e6a9f0c2809247e7efff919bee886

SHA256
b4a36d00362e67124738bad231a6cab487cc0d0f513a670273468569a14d8e94

SHA512
411cebed85a3e283f14194c9993bde1b83ca2d59b942d8d1003ca3417cc1fe66924ec5d45be57cf9f6440816fb77ffff7791331649b091df4e5c1e7cd30adada

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58dfeb.TMP

Filesize
48B

MD5
ed9ad02bc6141022fa365a4a4ef6a54d

SHA1
04f052822b624e0fcf3cd1ba21a188a05bc1810c

SHA256
2cbdf308b1596f43fb671c3d9565252d01b9368bca9b5a0f84d89940525b9448

SHA512
1af1480680d8b5505cf4416990bf0cfbae4347013550652263acd7e6ca139ebed161c4c7f6486fbfa4ee356cd89805cc4f3a47c83584f19fe62f7daf240b5731

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe595e33.TMP

Filesize
140B

MD5
9715e687e44b3db9e9a1f00feb2cd4e1

SHA1
720f54ad5bbf162e81f680341c4c3e8d143a4d7a

SHA256
b8aa6bcb3c09cb8ef436956703f6cc186edd8d09a1248e199def7e7d7094b790

SHA512
5a83490d3e2797f6d8c2ad5b62bf452f728ffcac81d43edec46b1a84b397084e43c4d0490f67725b41c373ed4a9146394feacc89d26e3a784c813b97d5aa66c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\IndexedDB\indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
528f6a6b74c694d8c7e21653fc55de79

SHA1
7ad25813a782549e76f54d2e9dd2ad0babd0eb62

SHA256
21482461ef2a80328824a49bf5dd92b5bb23885e9f59b74eaf935511f2ecdb06

SHA512
76c073491ceb7433e33b961036d85e38d371744292d667e7ab6f2ea5ef8fe7241aa426c896fc51cdb738a3567ad0b1c45c4bc15df3ee905f7a2681dbc3798c0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
47c8bc9256cb146cdfb24ff26c714b35

SHA1
a4c282bf02a543e2a45e95455f41a3dceba31dad

SHA256
77bb2623130768ef28059177a5e6e501ea631ad27d877264c6412e1f6b66c51c

SHA512
b14a61a16497669ebb95e150b51334bd3f36e2e116480e522dcddf42fbc3afe78f3f6f0615966243203ca4936a1cff2f5559e03e510951dd8dd400bd4a399f48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
d64d5b7c38a13b361c2e872f026790af

SHA1
88777508a6a16f5fd3771f6e6043958289f5348a

SHA256
20586bca7888960acb0716092c676f819ff1aa62aade6241c8e1017a2519c88e

SHA512
28ba7af55ae69578e6701ffafcd8cb4c73f152e570c8416b09f51e675a686d1645b2dd4dc7be8c98c212e10500029c849c8011d79bea3cbab8e61c3796cfe4a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2549F9B8-F10F-4130-B74D-74B6CFBE4399

Filesize
178KB

MD5
99b12e606c82b5d8c546c156e7db3eb5

SHA1
09a7b651c2caf9ef504e09377599c1edfb153eba

SHA256
e36887be2696b151147eff8fa8d376e4e19bdd1ce91853c86a66add3f6d4ceb8

SHA512
5eb6cdd14a4f085f9cfb42ff332845855034b1a8912ebd56880702e64f357082d49b25ec27caef064915df0c19f8752c2f44d60f0f15c12e63ec533d38521d92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
3ba54cf7954be71dabda20c90db420d8

SHA1
9405873dc5c4ee2b5ff1407f05cd39442a3ee3b2

SHA256
2411711f03be52f411ae36d085703939ddea1dbd2430f87ae5c3196f6a0eee16

SHA512
6af8ba95a1bc1c52a04599849c02a8cae3b5b9b6a0c734bea62526169e49ea20d3532c267bc012c5cd114870f35ca91824408eb4fa4256105f6b7e8a40b0df4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
f7277646485e2ffe5e8d09a3c2849b49

SHA1
dd4257c5ac89b3cd965d60379ee53fde636ce788

SHA256
f96548781cd1dcd69acb233a1712d8a8527edfef03b1ba8b2690ae6397f47d86

SHA512
2f3b1e400ab16e48df45a9935ac8ed5daa332c6d6c0aa429fb559e9e22520d983f53d9b2539d95881241a614701b1668ce4fa90cd0ebd5c508e8d3b8ac238658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F5BDBED2.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\1321e6e3-4a32-4c13-85d6-f0147e5616bb.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDE1D6.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3788_348598890\377b2d1f-2a1e-47fb-9865-d2f72a058d66.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
816KB

MD5
8c325ab4f3bc2f87e26aa87689e38b4b

SHA1
d83baf28b89106896995b7e7465e0350b2402636

SHA256
cf23cc9bff4901f89fba3dccec32537d61e6fb5b5cc9e79c1e9d0ca2fbf4a94b

SHA512
1df3c6275011cf65cd52f1ae6929b292cb3ed56ea95ffa74342baf09657e95bead42797f16688049002fc56776ae0481bef1d0d8acf3db68ecd68c4a86afcba0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
ca6f58f1582c5213d3c1fd9527d1fd9a

SHA1
4e9f939266bd4aaef12d34a720bfdefff13216b1

SHA256
2b494b2c7c89741eb391d170444f8e85ffc932eab188c8e8006cd41f8d4a9c83

SHA512
dccc1e043761af08f571413355c6c3a260297f39286dbe9ff2811be5a3cdcfed7406c07fb18e339383cdb691ffa3d2886c3ba644f7ce6955be192e989f7b70cd

Download Submit
memory/4676-155-0x00007FF9151B0000-0x00007FF9151C0000-memory.dmp

Filesize
64KB

Download
memory/4676-157-0x00007FF9151B0000-0x00007FF9151C0000-memory.dmp

Filesize
64KB

Download
memory/4676-159-0x00000292F96E0000-0x00000292F9837000-memory.dmp

Filesize
1.3MB

Download
memory/4676-158-0x00007FF9151B0000-0x00007FF9151C0000-memory.dmp

Filesize
64KB

Download
memory/4676-156-0x00007FF9151B0000-0x00007FF9151C0000-memory.dmp

Filesize
64KB

Download
memory/5316-18-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-168-0x0000016484070000-0x00000164841C7000-memory.dmp

Filesize
1.3MB

Download
memory/5316-169-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-164-0x00007FF9551C3000-0x00007FF9551C4000-memory.dmp

Filesize
4KB

Download
memory/5316-165-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-160-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-5-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-7-0x00007FF9151B0000-0x00007FF9151C0000-memory.dmp

Filesize
64KB

Download
memory/5316-16-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-17-0x00007FF912680000-0x00007FF912690000-memory.dmp

Filesize
64KB

Download
memory/5316-1-0x00007FF9551C3000-0x00007FF9551C4000-memory.dmp

Filesize
4KB

Download
memory/5316-20-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-19-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-15-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-9-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-11-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-14-0x00007FF912680000-0x00007FF912690000-memory.dmp

Filesize
64KB

Download
memory/5316-12-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-13-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-10-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-8-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-6-0x00007FF955120000-0x00007FF955329000-memory.dmp

Filesize
2.0MB

Download
memory/5316-3-0x00007FF9151B0000-0x00007FF9151C0000-memory.dmp

Filesize
64KB

Download
memory/5316-4-0x00007FF9151B0000-0x00007FF9151C0000-memory.dmp

Filesize
64KB

Download
memory/5316-2-0x00007FF9151B0000-0x00007FF9151C0000-memory.dmp

Filesize
64KB

Download
memory/5316-0-0x00007FF9151B0000-0x00007FF9151C0000-memory.dmp

Filesize
64KB

Download