wannacry | a6ee6130d83bbe55e9dacdff2005950d69fc2d3c54e28467b82c148e274d90da

max time kernel
344s
max time network
439s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoClicker-3.1.exe
Size

860KB
MD5

c208a15591828ac1b1c825f33fd55c8a
SHA1

bea4a247ece1a749d0994fc085fbd2d7c90a21e7
SHA256

a6ee6130d83bbe55e9dacdff2005950d69fc2d3c54e28467b82c148e274d90da
SHA512

b78d8055fc64bac1cdd366cdb339df2e081228bd998fdb5450a6832b0720c1b321568aabd7535ce62c16067ad20c86e51712c3e78bc40945adc05c63565fd889
SSDEEP

12288:2aWzgMg7v3qnCipErQohh0F4xCJ8lnydQEzFGZ3dRP6yWD:RaHMv6C1rjpnydQEOPdWD

Score

10^/10

wannacry xorddos aspackv2 botnet defense_evasion discovery downloader execution impact persistence privilege_escalation ransomware spyware stealer upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\anal\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000024542-1794.dat	family_xorddos

Xorddos family
xorddos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Downloads MZ/PE file 1 IoCs

flow	pid	Process
159	3868	chrome.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000024599-1968.dat	aspack_v212_v242

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDE2BF.tmp	tomi tee.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDE2C6.tmp	tomi tee.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 31 IoCs

pid	Process
5572	7z2409-x64.exe
960	7z2409-x64.exe
3996	7zG.exe
680	alanwrobel.exe
5244	alanwrobel.exe
1948	tomi tee.exe
5620	taskdl.exe
2996	eee.exe
2432	eee.exe
3916	patcher.exe
3840	patcher.exe
3196	@[email protected]
2536	taskhsvc.exe
5164	@[email protected]
3656	wrubl.exe
3548	patcher.exe
4584	patcher.exe
1832	taskdl.exe
4680	taskse.exe
3660	@[email protected]
4304	patcher.exe
4812	patcher.exe
5660	taskdl.exe
3996	taskse.exe
6032	@[email protected]
1564	taskdl.exe
6056	taskse.exe
3112	@[email protected]
5696	taskdl.exe
884	taskse.exe
6116	@[email protected]

Loads dropped DLL 11 IoCs

pid	Process
3420	Process not Found
3996	7zG.exe
2536	taskhsvc.exe
2536	taskhsvc.exe
2536	taskhsvc.exe
2536	taskhsvc.exe
2536	taskhsvc.exe
2536	taskhsvc.exe
2536	taskhsvc.exe
3420	Process not Found
3420	Process not Found

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3168	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	eee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	patcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	wrubl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	patcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	patcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	eee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	patcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	patcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	patcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\klswbctoejceumd443 = "\"C:\\Users\\Admin\\Downloads\\anal\\tasksche.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-1279544337-3716153908-718418795-1000\desktop.ini	alanwrobel.exe
File created	\??\c:\Program Files\desktop.ini	alanwrobel.exe
File opened for modification	\??\c:\Program Files\desktop.ini	alanwrobel.exe
File created	\??\c:\$Recycle.Bin\S-1-5-21-1279544337-3716153908-718418795-1000\desktop.ini	alanwrobel.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-1279544337-3716153908-718418795-1000\desktop.ini	alanwrobel.exe
File created	\??\c:\Program Files\desktop.ini	alanwrobel.exe
File opened for modification	\??\c:\Program Files\desktop.ini	alanwrobel.exe
File created	\??\c:\$Recycle.Bin\S-1-5-21-1279544337-3716153908-718418795-1000\desktop.ini	alanwrobel.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
107	raw.githubusercontent.com
108	raw.githubusercontent.com
123	raw.githubusercontent.com

Drops autorun.inf file 1 TTPs 9 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Users\Admin\Downloads\anal\:\autorun.inf	wrubl.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Users\Admin\Downloads\anal\:\autorun.inf	eee.exe
File opened for modification	C:\Users\Admin\Downloads\anal\:\autorun.inf	eee.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	tomi tee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000245c8-2062.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	alanwrobel.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	patcher.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\msaddsr.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsFormsIntegration.resources.dll	alanwrobel.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe$	patcher.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ps.txt	alanwrobel.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\pa-in.txt	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\is.txt	alanwrobel.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Microsoft.VisualBasic.Forms.resources.dll	alanwrobel.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe$	eee.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	eee.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE$	patcher.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\en.ttt	alanwrobel.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alanwrobel.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\tipskins.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll	alanwrobel.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	eee.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationFramework.resources.dll	alanwrobel.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll	alanwrobel.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll	alanwrobel.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	patcher.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	eee.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll	alanwrobel.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	eee.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	patcher.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	alanwrobel.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\msdasqlr.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Controls.Ribbon.resources.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.sfx	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\serialver.exe	alanwrobel.exe
File created	\??\c:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll	alanwrobel.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll	alanwrobel.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	patcher.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2409-x64.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui	alanwrobel.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui	alanwrobel.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1940	680	WerFault.exe	146
3752	5244	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2409-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tomi tee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrubl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alanwrobel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alanwrobel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker-3.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2409-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133884099327060159"	chrome.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4408	reg.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\anal\:\autorun.inf	eee.exe
File opened for modification	C:\Users\Admin\Downloads\anal\:\autorun.inf	eee.exe
File opened for modification	C:\Users\Admin\Downloads\anal\:\autorun.inf	wrubl.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
5636	chrome.exe
5636	chrome.exe
2536	taskhsvc.exe
2536	taskhsvc.exe
2536	taskhsvc.exe
2536	taskhsvc.exe
2536	taskhsvc.exe
2536	taskhsvc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe
Token: SeShutdownPrivilege	2452	chrome.exe
Token: SeCreatePagefilePrivilege	2452	chrome.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
3996	7zG.exe
2452	chrome.exe
3660	@[email protected]

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe
2452	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2996	eee.exe
2432	eee.exe
3916	patcher.exe
3840	patcher.exe
3196	@[email protected]
3196	@[email protected]
5164	@[email protected]
5164	@[email protected]
3656	wrubl.exe
3548	patcher.exe
4584	patcher.exe
3660	@[email protected]
3660	@[email protected]
4304	patcher.exe
4812	patcher.exe
6032	@[email protected]
3112	@[email protected]
6116	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 4724	2452	chrome.exe	96
PID 2452 wrote to memory of 4724	2452	chrome.exe	96
PID 2452 wrote to memory of 3868	2452	chrome.exe	97
PID 2452 wrote to memory of 3868	2452	chrome.exe	97
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3880	2452	chrome.exe	98
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 4456	2452	chrome.exe	100
PID 2452 wrote to memory of 4456	2452	chrome.exe	100
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101
PID 2452 wrote to memory of 3196	2452	chrome.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4608	attrib.exe
5936	attrib.exe

C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.1.exe
"C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.1.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd204adcf8,0x7ffd204add04,0x7ffd204add10
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1560,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2112,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2372,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2964,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3024 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2976,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3040 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4288,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4308 /prefetch:2
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4632,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4872,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5516,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5700,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5124,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:5884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5964,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5968,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:5288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5868,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5916,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3848,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3184,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3076 /prefetch:8
  2⤵
  PID:6016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3192,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3212 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3220,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3168 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=3156,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4284,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6076,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4740,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4732,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5564 /prefetch:2
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6432,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6428 /prefetch:8
  2⤵
  PID:5472
- C:\Users\Admin\Downloads\7z2409-x64.exe
  "C:\Users\Admin\Downloads\7z2409-x64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5572
- C:\Users\Admin\Downloads\7z2409-x64.exe
  "C:\Users\Admin\Downloads\7z2409-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4720,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6444,i,3540200015099627465,11788983882446543953,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5636

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1124

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5836

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\anal\" -an -ai#7zMap4142:86:7zEvent32667
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3996

C:\Users\Admin\Downloads\anal\alanwrobel.exe
"C:\Users\Admin\Downloads\anal\alanwrobel.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 516
  2⤵
  - Program crash
  PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 680 -ip 680
1⤵
PID:4320

C:\Users\Admin\Downloads\anal\alanwrobel.exe
"C:\Users\Admin\Downloads\anal\alanwrobel.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 636
  2⤵
  - Program crash
  PID:3752

C:\Users\Admin\Downloads\anal\tomi tee.exe
"C:\Users\Admin\Downloads\anal\tomi tee.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:1948
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4608
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:3168
- C:\Users\Admin\Downloads\anal\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 251341743936542.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2924
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6004
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:5936
- C:\Users\Admin\Downloads\anal\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3196
- - C:\Users\Admin\Downloads\anal\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4924
- - C:\Users\Admin\Downloads\anal\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5164
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:5132
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
- C:\Users\Admin\Downloads\anal\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1832
- C:\Users\Admin\Downloads\anal\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\anal\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4680
- C:\Users\Admin\Downloads\anal\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "klswbctoejceumd443" /t REG_SZ /d "\"C:\Users\Admin\Downloads\anal\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5652
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "klswbctoejceumd443" /t REG_SZ /d "\"C:\Users\Admin\Downloads\anal\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4408
- C:\Users\Admin\Downloads\anal\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5660
- C:\Users\Admin\Downloads\anal\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\anal\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3996
- C:\Users\Admin\Downloads\anal\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6032
- C:\Users\Admin\Downloads\anal\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1564
- C:\Users\Admin\Downloads\anal\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\anal\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6056
- C:\Users\Admin\Downloads\anal\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3112
- C:\Users\Admin\Downloads\anal\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5696
- C:\Users\Admin\Downloads\anal\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\anal\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:884
- C:\Users\Admin\Downloads\anal\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6116
- C:\Users\Admin\Downloads\anal\taskdl.exe
  taskdl.exe
  2⤵
  PID:6088
- C:\Users\Admin\Downloads\anal\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\anal\@[email protected]
  2⤵
  PID:2540
- C:\Users\Admin\Downloads\anal\@[email protected]
  @[email protected]
  2⤵
  PID:912
- C:\Users\Admin\Downloads\anal\taskdl.exe
  taskdl.exe
  2⤵
  PID:5712
- C:\Users\Admin\Downloads\anal\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\anal\@[email protected]
  2⤵
  PID:6004
- C:\Users\Admin\Downloads\anal\@[email protected]
  @[email protected]
  2⤵
  PID:4492
- C:\Users\Admin\Downloads\anal\taskdl.exe
  taskdl.exe
  2⤵
  PID:5804
- C:\Users\Admin\Downloads\anal\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\anal\@[email protected]
  2⤵
  PID:6056
- C:\Users\Admin\Downloads\anal\@[email protected]
  @[email protected]
  2⤵
  PID:3876
- C:\Users\Admin\Downloads\anal\taskdl.exe
  taskdl.exe
  2⤵
  PID:508
- C:\Users\Admin\Downloads\anal\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\anal\@[email protected]
  2⤵
  PID:3968
- C:\Users\Admin\Downloads\anal\@[email protected]
  @[email protected]
  2⤵
  PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5244 -ip 5244
1⤵
PID:1064

C:\Users\Admin\Downloads\anal\eee.exe
"C:\Users\Admin\Downloads\anal\eee.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:4676
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3916

C:\Users\Admin\Downloads\anal\eee.exe
"C:\Users\Admin\Downloads\anal\eee.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:5552
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:4868

C:\Users\Admin\Downloads\anal\wrubl.exe
"C:\Users\Admin\Downloads\anal\wrubl.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:4712
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:5780
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:1796
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:5512
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\anal\tasksche.exe"
1⤵
PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:3648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\JoinSwitch.bat" "
1⤵
PID:5476

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\@[email protected]
1⤵
PID:680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd204adcf8,0x7ffd204add04,0x7ffd204add10
  2⤵
  PID:1616

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\118513668a0d4c0f966bf388dd14bdd5 /t 3388 /p 3660
1⤵
PID:1260

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\@[email protected]"
1⤵
PID:2736

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\@[email protected]"
1⤵
PID:4592

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\@[email protected]"
1⤵
PID:5188

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\@[email protected]"
1⤵
PID:5992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1764

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\@[email protected]"
1⤵
PID:2268

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\RevokeClear.nfo"
1⤵
PID:2884

C:\Users\Admin\Downloads\@[email protected]
"C:\Users\Admin\Downloads\@[email protected]"
1⤵
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
88518dec90d627d9d455d8159cf660c5

SHA1
e13c305d35385e5fb7f6d95bb457b944a1d5a2ca

SHA256
f39996ab8eabdffe4f9a22abb1a97665816ec77b64440e0a20a80a41f0810ced

SHA512
7c9d7bd455064d09307d42935c57de687764cf77d3c9ba417c448f4f2c4b87bcd6fea66354dfe80842a2fa3f96c81cc25e8bf77307b4ace1bbe1346cbe68435f

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
c4aabd70dc28c9516809b775a30fdd3f

SHA1
43804fa264bf00ece1ee23468c309bc1be7c66de

SHA256
882063948d675ee41b5ae68db3e84879350ec81cf88d15b9babf2fa08e332863

SHA512
5a88ec6714c4f78b061aed2f2f9c23e7b69596c1185fcb4b21b4c20c84b262667225cc3f380d6e31a47f54a16dc06e4d6ad82cfca7f499450287164c187cec51

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
696KB

MD5
d882650163a8f79c52e48aa9035bacbb

SHA1
9518c39c71af3cc77d7bbb1381160497778c3429

SHA256
07a6236cd92901b459cd015b05f1eeaf9d36e7b11482fcfd2e81cd9ba4767bff

SHA512
8f4604d086bf79dc8f4ad26db2a3af6f724cc683fae2210b1e9e2adf074aad5b11f583af3c30088e5c186e8890f8ddcf32477130d1435c6837457cf6ddaa7ca1

Download Submit
C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll

Filesize
5B

MD5
b5b682b742431a52ea8b17c72ad9c572

SHA1
326320f469235708c59f678c9a7357dca552d306

SHA256
30d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76

SHA512
4e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163

Download Submit
C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll

Filesize
10B

MD5
b314d269c67cb2ea968879a86adf7b34

SHA1
117bf44662a0948c357d48c3be9575ffa6afbaa6

SHA256
11e4909220869d156df6dc525ec50b3596a917ff5d11a884bf23b96da6a26635

SHA512
26b4b366112d28e3fae79a19262f4f7fe148c687651ce05bb82f8d783d58312947e0f23bc046374810d728b3d6cef80653cc5dc8da65c3370447af4fbf8b305e

Download Submit
C:\ProgramData\Microsoft\AppV\Setup\@[email protected]

Filesize
668B

MD5
f5b291bc937a0e51b0f16c4ccbcf8ef8

SHA1
b74ea9a0119cfc5531d4aa84e8c985b91db44899

SHA256
73aa532e66b1d7dc7ab98bce2d2a063dbe176d257b2c58603940d46cc7630753

SHA512
dec6ee61ac0316d220206ff3a9a4324506294f7c67e0fcd183ba91f5a7acfdd316d8d054becc9a74a142173531dc7dfaabec8a22a953b13f433f72500ebe2a04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
13e85db7ab7bd0131b6d7b372eb6b3cb

SHA1
5bd031c1d79faee9f5b180576fb2ba73afd236a9

SHA256
96bf5616e02db2a7d71c4eb64ee4bf0ca8a06700e34ffa47bdc9c02f97092e20

SHA512
63e735544156689c62d6d5cffe428e6cf749066239e69dae910f08b89aa9f87efbeaf9ba5fa16d2644d16478ee854903270d4e330ddf89ea1bae6d54c98cb029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5a3bc9d9-fa72-4fe3-9333-fe16fbc6b5ba.tmp

Filesize
11KB

MD5
0cf8b3ff4408d5643a0133763a4b151b

SHA1
2983031f4a70554fddc6148319f8b7816a190693

SHA256
bfad029f4bc290cdfdfffd16382eacddeb595248cd53d8df055588724e57d5c2

SHA512
0358b38f16e55636cc6aaea3bf3dcf2a0fe9c7c4376e1edd4b994f1d5577058ff6c869d5a2f99a3a9efdf1c16eabb69f96dff385e06a6d030b6800878f613338

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e42f0977614172dec56c3f8a75dd48ad

SHA1
7dd5e377b6921c3426de317213e32bbb5554f2b0

SHA256
5fd33cfe28afc15b722993ab0898ffb42b9ca06de1fba49e480cfb905eff87d1

SHA512
98174d0c12c59c2426a42d289070e2b62b275ca7d4d76c079133a27c05b1582b2b33c997d5a3a1a34af4540e6d9a991dbd13f84ee0d05df5a4b913c13d6e3d62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
18f5ee89120f9b50066a5b7535084468

SHA1
b28d109c49ff52d20b95e3d2fc6156a579d80858

SHA256
b664dd200c85c2c6888fc782625dfd947a24b8a6f4ffdcf656e02e596d11d0ef

SHA512
4a385eccc9df3c1aec25a8969b5cde613c75ddac3485ab1affc7f152c283d2444511cd41504fbb26794c3a4f964fbaf3884a79d16b5719204fb712741349a92b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
3e23bc047b0ed576d98a8a4bd5f07f4a

SHA1
7596075bdae14f77d6c1629b5f430fcbcfe7cf78

SHA256
35cc7c47e9526bcf4a7a66694c3b9c078ba02abdc2d16cdc3ebe02d0b630e196

SHA512
ad2623195984e26a21df561bdeb8c7a33aca4d29953f9f7471e08917f44409f264f354f6be3668310dc6e0cd049ab8f8e267fcca8f988739ca270d24621a04bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
0e0f1cc039afe805c5dd6b40f89698f3

SHA1
d03640e0d47a3e04cce56d56ed59f002c2ff3375

SHA256
60ed203056ce235287191ab9a456223665f4a42c1da4c24047eeb2afcd5ce0d2

SHA512
a764bde8d584a9335d05c6e52b6889aa82835cdc08381744cde26cb7407a9d6890ced9aa6bba0d28078cb05ed4b11ca514aabc2a391c54c797020d45d58c8880

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
e85992c27be04a4d269e3237364c3e33

SHA1
aa55d68f17e8ecf19f1b39a445cd0b9eeb34e0b5

SHA256
0da0af42f46381ef550779e590b9e83bae8138a3e37a787756bedf24973b4e6f

SHA512
5951f8668c0aac7acd77b10b37b3d6e01b19b897550262f30f6bf8cc2e68fcadab1f56873fc33f6ae825913bde7c281aafc1b9b54ccf2fc9cce45d3424eb57ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
37f94ea18e0e578fa1d42c5360792211

SHA1
4a3fc2e30d3bf897850b665d0f0631068463d8a0

SHA256
5ce64afc80985ab52798fe5163ace296d6263b410576e4f8d0bab7b39d486e73

SHA512
7826af63344c814e916951e72c0a507d55f44988d32129676c23b2d2ac0df66e174ddde6654b8043d3fc03f5a0de8646df45bd39e89eff008d5b4bdb4985237d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
09e1fee47b4068c6ac2a4b7d25d17f49

SHA1
5165fc9f0f30553e3a3652409dfd239c6fabc953

SHA256
cbf3f8d4372ba7c5a906922f9b5de3e3c1641cda1d300ef2a9e3305933494ada

SHA512
39fb0b14b971a763a0aae70d38d58b2b4c12ba5d4f832543ab92d1905291da91098405986600510d16c3fd351be2d5e3f952ad92c9e9f036a98d23808441667a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
1f0f4dffa233a90005f895ae702d6086

SHA1
a18909991f4aa5e01cc4465b1b1884616a6eddb1

SHA256
5901709ccdcc7d8ecef643c70d4dc986b92b2d972cfcfbfa1f383e5cb7957bc9

SHA512
465fdfd945157f502b26ed101a17a9ebb76979e53eec3a85085287be556d51693cf0961dbbba00afe82d265cb90bcb41d8e4540264af2756127bfbfa727628b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
28a2159158649fff16af692a128a2f18

SHA1
e56657ab054760cd5d48b4fca61a472289d79e11

SHA256
22fc43ddd2af45cf048266603ed0e5b22d6d6f987d5de515b143898e8adfce7f

SHA512
cb9578932afbea6f566dceb1f268d99f2d15f77103b41959443673602f9e6b3ba609a3ea22ec117a1090c06cebd561d2b8e988f504eaea585a33f395d05db310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
89c7e3da9a3c9fab419ff4090dc27d8a

SHA1
54201a357bbe73c460d82d062e7b5f654a4a8f8f

SHA256
0052f7f7d5900b1277f2531ad4f9d4db5ddef6adb51c1dbcbe6920b2a3b2e909

SHA512
edda1b36a9b383285f34523eaf44ab33c550fdf055cf96ada4c06149cbba1fb3cc38c337f0ec54e83144446282aba5f5541459c017b86a250c4ae785942ebdbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
cb75c96480d3e0f4d5ae250193caeaac

SHA1
b3204edfd1203f5b4ea2cf0b7f77d44e728ef43c

SHA256
970e26b29a83ebce461e129a10579f9f31fa65d0eca16c59ad48bd07bcb50b48

SHA512
98c5ab300684deb99e762d5fa20595c48d0ba916fb340fd4867d8d1a44dec1954ad502b9b59b377cebc72a582dd183cb3aaf8d2b579312440d3d758187d874e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
a8e7c58f610615ece11139b319f7dbea

SHA1
35947d19cf45bb74ed97b3318e5a0d33816a5b11

SHA256
51a6ddee17b9732d250b69172f7c2fb9366cb20a642fd22e255ef6cbcb82472f

SHA512
f56a3b69312be96f18e1a3a08070497f743b4ca0078b0688e21a5e097165d19e250e7de13e4e8650b43d377a965d6b8bd995e40632b2bd9f3c659ce9a74df44d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
7cb4c42e93c3af872936c5f525e3efbc

SHA1
07c292886402866a9c5e6e3f0570a6c19b34147e

SHA256
9d457b530b1c3b3fe59c6ed14a85791114acf8bb9e14ea7949fd051babf1583c

SHA512
97282c60ef25fa7e96bb81d0625d36aca2ed36ce1fc8151638ae860fcb752ab7c9aee768bec846e2623a50cc3990d4c1bd8a5627ccc5636ca5725c0625d46924

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e05d.TMP

Filesize
48B

MD5
c94a437a9a19755ddf55e9076895c1a2

SHA1
6c03b2334a81b5b8adae162b6ac5cbd28028343c

SHA256
60b8640dd8503aec46bfd1e2034e2b40265380632f409d9ae4c41085d4dc2eef

SHA512
58579bdce9e0df9acaabc37d23778680933df19237b21c4e4eeb1e6fcc5fb8769f77ce6ddae1c04b358d6c9337ab3544c0c64ec80e59856f89cd7938fa5c2562

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\99572959-5a6b-44b3-98b6-c3a5d5874211\0

Filesize
35.6MB

MD5
3451b3cb77cdedd959bab41a9e5fc527

SHA1
9433b4120ae7aab39a20eaf7f3cb882f0bfbf2aa

SHA256
5f5eb8a21487d814937866847eff9dc35de36b60f2e08923f99ef2ae10b0866e

SHA512
9e79a945124c5da2f41a9d5f08bc6783ad9eab59852bb300e1d0596c70feb5aa16069e9570df47a3634b1f29b35aaa31b2a1b5f61ba42343b4d472f896042080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\99572959-5a6b-44b3-98b6-c3a5d5874211\2

Filesize
4.5MB

MD5
aa075e3c37749e7bb4311ca2e9f56f5d

SHA1
f7f0db08b46500821515973a39058cdec4128f92

SHA256
2f7e9e5873b1e701746cfe7f8c6dd25e626ee2c6069039044d4d46696331aaf9

SHA512
4f8f350d9e1215dc1711a2c86606e1c816c6901e761e08ea984a061f7326f90b8ccf95c2eb4913849cbc4c4616b029927c6e23fef8743ed957439d244b7b0b09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
b6603cce65a6722f5b0288df9983ca72

SHA1
0b998edc4986cda6b63dd4392a8ebe9679fd3df7

SHA256
82d4a6b789372b9bb246317d6825e712cd8c3cbdcb0538cb8b5de6c1fb70f537

SHA512
9b04b2aa0587d6473097d49b1f5cce8e6eb41403971a7a25db6e1d71ffa48ab9d380312db9df3d81b72bdb17b0bf75fc7ddcc62e98e3190d709c0bc14f305254

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
836349e4ce2a7279ce5d2d49019dbcb0

SHA1
8c6d9a37a3df4e0304508ecea8cd3a837addc6ed

SHA256
9b9690686ad72b0cfb3c6d686ca55139e124d79cb310c842ec93487c9153c038

SHA512
d6a4d949e3bd9dfcecd9675cd40f9f3d6495e1cc7c1ed12fbb0ca479eeb20d138b31ee77901d82268c636606911314712121ab504dadeec892074b69d1a9a827

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
6ccfe773196961bf8bfac0fe9bb5b0e5

SHA1
2b5314ca7d484b2f652e3d123172cca7acf21210

SHA256
3eb9cd96affb62cae50c9b947845f47ea6ca9a57cc7cafc192843197580a3eba

SHA512
32891a8e07d84ae278b411c35ca7511fe2ac35d640493d6f843addfdfd7de55399797165d314c68ef7d7d5179f29173f5f51525d26b0bdc1c9ed92a0a14aae21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
7e69eeb5fac0c749f15439adf35fde2b

SHA1
4cf294ca61001f4ef581b8c6a3797ccd3c42176b

SHA256
38d2726985da42533622d5ff47aadb3bc4fc7c7c8f3c32e23b98696316465ad1

SHA512
7aeb9df881138b926996dfeb9d98d3d79464b4e5e11efff852a04812250e70912e694364c0a048b6a595e774443133c153a028dd17bc908f833a63f1bbb5ba1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2452_1450414560\d3ed1f01-eb35-47dc-8d8b-28aefbde3e53.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
27.9MB

MD5
d1075b730532f1afd21961cbcff27218

SHA1
954621cf0bddb4f6e2c7f53e2f6af258f8276138

SHA256
2ed223f3d55fd814031169fc0f93e41b9a07eafa00d3b5ef3e75a5cd61d14988

SHA512
f24699c7f6032d469c1744170f5dab5e23ceb4c6dfe6c3c85c8f1d10bfc81a7fcef56eb4a8ac069f9c1608f6717c74ea29c6b7e0aeeca89ee326f0fafe521e39

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 881924.crdownload

Filesize
1.6MB

MD5
6c73cc4c494be8f4e680de1a20262c8a

SHA1
28b53835fe92c3fa6e0c422fc3b17c6bc1cb27e0

SHA256
bdd1a33de78618d16ee4ce148b849932c05d0015491c34887846d431d29f308e

SHA512
2e8b746c51132f933cc526db661c2cb8cee889f390e3ce19dabbad1a2e6e13bed7a60f08809282df8d43c1c528a8ce7ce28e9e39fea8c16fd3fcda5604ae0c85

Download Submit
C:\Users\Admin\Downloads\anal\20ca1f8c5fcf963fbbb10b527d041847.vir

Filesize
252KB

MD5
20ca1f8c5fcf963fbbb10b527d041847

SHA1
e6444518f375bc8d874d221d7f5661e80f740662

SHA256
393ecb019a145a62b32efee66c6086943945e869f848b42d4c72f4a0d3fe3ba3

SHA512
a0a78c8ef3793fb631ca3da1cbd49f517c360301d07db352228ceb30458db520402bda28784ebf6371592743f16e3dcf5034997c01806ff71b7b6bbef58d93a6

Download Submit
C:\Users\Admin\Downloads\anal\2a6db6ab86ab610982ba517dfcc73d91.vir

Filesize
420KB

MD5
2a6db6ab86ab610982ba517dfcc73d91

SHA1
06969d60c0c153f4a4cfcd32417d02498948c019

SHA256
88384f143df60d5ae4a2fcee570d867754c292efd96f2bb90581e8af7ac6bb58

SHA512
09fa8e1ab24953595a26f4c9575265b8b953a9492145d75f0a3a09e4e62210ff65dd30f02335f4111e27d523368a7a8f5f24ddfeec8e8b1bed77020dc3798651

Download Submit
C:\Users\Admin\Downloads\anal\2ab252c9b35bb25faabb4312f5df87ec.vir

Filesize
156KB

MD5
2ab252c9b35bb25faabb4312f5df87ec

SHA1
b6e17906d46b5c72f20851d665bff0bd3e7a89b2

SHA256
ef488003dd1a25457db9362cdd4b0747e441f7e8da37053b0318a0e205f575f0

SHA512
7dfc7b04d63489718eda236faaf65fbdeac0b76777ba2316e7526d973c605117b543629a260172b7b801b995bd9a6ee7bd1bc1ed709f000181dd4a2445dd2d7c

Download Submit
C:\Users\Admin\Downloads\anal\558b05e59b333aef5224e1da7d03f2e9.vir

Filesize
120KB

MD5
558b05e59b333aef5224e1da7d03f2e9

SHA1
d68e616cbf0b22680de34c4d3615cbfc866176bc

SHA256
55120454e6afa0416c07b905d38434768542cd93b36279bcdbc0a894854b7d11

SHA512
5ccffff98ac76452c802ff92cd566fff0ede3312ab2fcf5e379906c20412c56d4f6a5be71c2bf9f2cec90ec718fcef3bdfc321e6b969e556692c5f3b2d1d3fa9

Download Submit
C:\Users\Admin\Downloads\anal\6567ee3c90682ce956df2af88ac6d0d0.vir

Filesize
61KB

MD5
6567ee3c90682ce956df2af88ac6d0d0

SHA1
b907e266b4af7cdd5fe96488cc365fc4e41e31f6

SHA256
63bc229bdc039252c49a63b31d8c3a73542535c51153e408de55c8490a3ce24d

SHA512
23fa8de59c14c2abeedf6ba16dbcb15bc0f1a065335bdb57fe8cd42005197c5cba748af3ebea39f61c74583c45479d88895b93e797145af8a3de5a8e93929acf

Download Submit
C:\Users\Admin\Downloads\anal\6fdb9a5243232703b13cadc5cccfa253.vir

Filesize
288KB

MD5
6fdb9a5243232703b13cadc5cccfa253

SHA1
694d077a54a46daee4880633a38e0804fca88060

SHA256
16f97b141fcce54f677ab3c97901059705244b5e09f5c353b3ae99bfd9c8aa45

SHA512
929df3212c7e7222008e8e944e5a778582aa09c18e0afbaf4fa45bfda617dfa0d8a9a9381c4ab0ae7b7c75168b295483930326e0a7ffe2e3fb7957dab4a05e67

Download Submit
C:\Users\Admin\Downloads\anal\8b71967467522258a92a8d5dd734d565.vir

Filesize
120KB

MD5
8b71967467522258a92a8d5dd734d565

SHA1
5b40b3789f5fd3ba26493fd7a6b4c46848941914

SHA256
ee9a580245ff7bf4465b122a2bc3ef9c731daeb06897ea34579c009bc9fe988b

SHA512
81d669c56464d2c3c302360bbeafa5a7443e20c3cd4dfb80cc3cd28b736434d2b66789bed02571c4ff62a91e82bc811edf38202a4f3fa135e5075550d2035450

Download Submit
C:\Users\Admin\Downloads\anal\8d1d6e7c36bc9c97338a71c862dc52a0.vir

Filesize
153KB

MD5
8d1d6e7c36bc9c97338a71c862dc52a0

SHA1
ea0cd6c2983a4fda97302cf338b3fbac20a3cc1e

SHA256
636f404892310f7f7cbffd013d5ebd5895b309af2b0bb18814e52c5548e4d4a6

SHA512
fe89091867ddfb2e9b8a94edaf5c5d56d61fffa5dd9f604013ebfd19498625d5d0a8c7db0ae4c215bbe00c2c6682a90137abc91de24c89d16dbcd0f961194923

Download Submit
C:\Users\Admin\Downloads\anal\8e300a75d4dc0bb5ad7ca16f3b982c4d.vir

Filesize
1.5MB

MD5
8e300a75d4dc0bb5ad7ca16f3b982c4d

SHA1
acb3a0014a41c7002507281fa203051c2bfd6df7

SHA256
0e6b7297e0d268689c958889a39733a7367e6836eadd82c475f577f26b64d7de

SHA512
f0f5b84911bf027b2af783d10b23e2711a43fa7492dc7058d0a64bc109f06ed5f4f32c82bea73861c3786956783c7bd73cff5d1c359729a1a672dbb5312c725b

Download Submit
C:\Users\Admin\Downloads\anal\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\anal\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\anal\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\anal\a99c10cb9713770b9e7dda376cddee3a.vir

Filesize
611KB

MD5
a99c10cb9713770b9e7dda376cddee3a

SHA1
1f1dd4d74eba8949fb1d2316c13f77b3ffa96f98

SHA256
92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86

SHA512
1d410a7259469a16a1599fb28cb7cd82813270a112055e4fbe28327735a2968affbfdcba0a2001d504919e5ef3b271f40c45da6291be9c5f97c278418b241b79

Download Submit
C:\Users\Admin\Downloads\anal\alanwrobel.exe

Filesize
3.6MB

MD5
bedc75141877b5e6ef16af9853041860

SHA1
56b09dd731ebd5541659281156aebaab90b0c54b

SHA256
6fd570295590c7d98e89eba94bfdc2367a3d1b285e41005ed364d4af7bcabf73

SHA512
8cd27f2354511e4f12fedfee8737662f2777c0ad69d8e99db54bb5142622468e3bec0026f029f19b2a24f26dccf91e237efef1cc34a7ffee84454b31c6570afa

Download Submit
C:\Users\Admin\Downloads\anal\cdb1365059c0e4973843dc0d0955bfbc.vir

Filesize
3.0MB

MD5
cdb1365059c0e4973843dc0d0955bfbc

SHA1
eaa991e3a9c57302f31ac5faba09d7f00f65c8b6

SHA256
1a880b81f53f4c162e7c90d098c185da9cc936988f0ea4fdb278c661d68f9996

SHA512
17d136b87efde90b50daccb84bd85dd09706af14ee5a2a963655ec2df06aa3173915ccb479010098061dbf079c716197d6a311eff3b0c722daf46c00295af4eb

Download Submit
C:\Users\Admin\Downloads\anal\d11cb523b9e2dcedff41c5346a48cc1f.vir

Filesize
180KB

MD5
d11cb523b9e2dcedff41c5346a48cc1f

SHA1
ed5458e2e82effe7c2eef1123956e108ed71c4e1

SHA256
7b86c29435cd174c8ac5bd80e5b77206d0fb7f95774e85ff407e644e0f46fae3

SHA512
28a4e41a729cef7f16a82595e9c69b70c0836a44c66b7381facb904a2845f403a53b39e1ed76ccaef6571eed029f158c343486f2f16b6b1103623efadcd852ed

Download Submit
C:\Users\Admin\Downloads\anal\d1955d1092f0615321bc60e5abd0d8cd.vir

Filesize
2.6MB

MD5
d1955d1092f0615321bc60e5abd0d8cd

SHA1
7e6d20b24d216628f0e7f81015a4f518af075575

SHA256
e1c0d8c1dddbf7cab773d14a60e8e342456a7c80f4b8cc7630927824506819a0

SHA512
cbf7c61868f9a97bc2aa2dc3b72f0227024e7bbf1d0e0c6f899408e6e7fd9202912c817a32bb6d917f1caa27be7c1749eb4681f91edefcfe41a31ed87fc57b14

Download Submit
C:\Users\Admin\Downloads\anal\d872770d3857a675142f706098e45fe8.vir

Filesize
1.0MB

MD5
d872770d3857a675142f706098e45fe8

SHA1
22ac9e35784e8804a1631556bbfca4801a92b322

SHA256
4f5ad84afbc4c814cac687912c528bbb0b6b926f94a0d7352fdd72c503bb6c61

SHA512
3c55158a2fcf92e20d2498c76c12ae887380b6b6293a83992e5c60e5df2c140b06b45c2f367de79fa961e5cfc8f46ed2c472d70c6fc0c5eb26263dfa7b11ab75

Download Submit
C:\Users\Admin\Downloads\anal\d9985f2669dadd11b529f6492198bde0.vir

Filesize
2.8MB

MD5
d9985f2669dadd11b529f6492198bde0

SHA1
401cde3ac2615da2ac121a297a79877e133ceacd

SHA256
227471b4cc68a25874e21e585bdcdf4e42905a291f293f8c549499df0a6cda56

SHA512
a2b53bcb111f326e5475013a0b5babfb95e2edbecabd7bd8120618cbb74a14172e39e5d0db2af6fc6776ec25992fc36634485c177a4f40ae84ec5a2d622c5c84

Download Submit
C:\Users\Admin\Downloads\anal\dad3b507b3519774672e6221a254f560.vir

Filesize
138KB

MD5
dad3b507b3519774672e6221a254f560

SHA1
6a7715c7615db96a73d41f32d0298a476c54d46c

SHA256
64fe980df1cb38cdd29a1d27b70719241b3052281795fd1654638ff47e37aa27

SHA512
85691b29b64b985d0e55872e52e6de7069a9f60b9f4ff1a7795c90290ae9bf06c9379dc857685041635ebbef50ac5e3160cd74ca2bde49037d5e92ee1a198264

Download Submit
C:\Users\Admin\Downloads\anal\deace9a9a08bd89616a9cc3ca1bac700.vir

Filesize
745KB

MD5
deace9a9a08bd89616a9cc3ca1bac700

SHA1
3ed1cf370a297fb653a8331ad370ba6f9f8c919c

SHA256
29a0b87b8495891215d3f7f2d9a7299ff5ad1c78aeecd078a4ee22c67abca3a5

SHA512
695612512c2e6eefe24610cd1f7271e79a4173d8a0046da14a5f90b847717b468211f4ef0bbf361fea954ff1491afc42ebe71f64d54fb269a3bbd7210f2fb30c

Download Submit
C:\Users\Admin\Downloads\anal\f77f8f2151012a32813ed0181c205882.vir

Filesize
560KB

MD5
f77f8f2151012a32813ed0181c205882

SHA1
6d652b36b38fc352060050f2608975749aae32b5

SHA256
dbd4052fc52d018d93db9ace8d02f3642320305677e070516fdcbf7effa34d82

SHA512
feec9974d0f5f3dc927d22b075d3dc7a3f7d33ef24d111be7d428a287dc3d604f14714a81144eb8ade7677d68a79c474083c2838e2c7735132dafdf4face5581

Download Submit
C:\Users\Admin\Downloads\anal\f9d77633d4548da678bd382fb41d33c7.vir

Filesize
484KB

MD5
f9d77633d4548da678bd382fb41d33c7

SHA1
18da4ee8292d3c3ef91a27ea3812802ab91a001a

SHA256
736e213b45a7a12511b3a7ce3aba2510996802ab14ede208817e85eb38e14f1b

SHA512
f8f965383b7e706ccbc959ecdc6365abc6a415c560b0e8bd9dd913b4e53116565779d89ea9f079775aae434d0682399b104bc3beb99962bc9ea05470a215dfa3

Download Submit
C:\Users\Admin\Downloads\anal\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Windows\debug\WIA\wiatrace.log

Filesize
16KB

MD5
5e519bdb82a22db5f69181d5366b75ff

SHA1
bffa1a420cd1cc0b04c26608c00a6f2f221c734b

SHA256
e134f2663a97f8a7c8923e3f1a262add5387ed5d74a4ab7c3343aeec02fbaa5c

SHA512
2d3500903341c8a4eaeb168ea933be46df6aa6144fdf33b996f2dc1fe9d8961bf8a95efba837e707180fe100747c6e9b521631c81f74bb1fee13629d7af67105

Download Submit
\??\c:\Program Files\7-Zip\7-zip.chm

Filesize
121KB

MD5
a7ba50e8a23bf4a17f827c69bdb8f6ab

SHA1
17db88d7fa4bdb042897cf1b8a8d6620dc4f3b07

SHA256
94561a6dd2e91b42d566846270b9d8915c30dd9200e7aab3a4e37547c0042491

SHA512
16598f7fe5dbad5abac11bbf84fce5a26dd686c1786ddeea7b86ea239fd1fd06587755eee7d376f4ca01a0c61f8b8babf5928222009160949a332fe5e985964a

Download Submit
\??\c:\Program Files\7-Zip\7-zip32.dll

Filesize
3.7MB

MD5
4f2ac7a40a290a7ecd6533685237da36

SHA1
f3c6747369fdf7c51072cac740baaec0a8a3b847

SHA256
47a231ba908c758d1ab4280c866bb34b5a7a4212065622c01cd96500384e6cef

SHA512
48b70ac84088bd62e4a433450f3b49f748a9f2874331e8fcbd687fd62ef4e9dfa334879c8eecf5bb1c2973cb6b7504d2f4c250bc8f858e609e47dd05a3c7c627

Download Submit
\??\c:\Program Files\7-Zip\7z.exe

Filesize
551KB

MD5
b6d5860f368b28caa9dd14a51666a5cd

SHA1
db96d4b476005a684f4a10480c722b3d89dde8a5

SHA256
e2ca3ec168ae9c0b4115cd4fe220145ea9b2dc4b6fc79d765e91f415b34d00de

SHA512
d2bb1d4f194091fc9f3a2dd27d56105e72c46db19af24b91af84e223ffcc7fec44b064bf94b63876ee7c20d40c45730b61aa6b1e327947d6fb1633f482daa529

Download Submit
\??\c:\Program Files\7-Zip\7z.sfx

Filesize
3.8MB

MD5
bc74f39fded933e8d77dddfa345e0980

SHA1
ce9d666462add80d4dfc64da085d449905042425

SHA256
ff4792624eaef3ed7bac98ff4722a5f9296356c80330efb55fa7e6d4272de513

SHA512
9591d2b9131bcd75bbb69cc5a33f60a77af799e5a88d7c183723ef0bc6d25b33a30affe1564694fa13c3b3c616c03ce92cad6931399c524473662af20de1ce8b

Download Submit
\??\c:\Program Files\7-Zip\7zCon.sfx

Filesize
3.8MB

MD5
8cfb27fb57b5acceeef7f8305c40c120

SHA1
d58be1c0eccb8249eb38193d7660f8f402a777cf

SHA256
516920467a73b7cdc391e340a7681798bc41afc10faf7878a3ba33a72da2fa8e

SHA512
354fc29a4ba8ec300e25621a35885ddb94cc72b88d84956aad767d786de4d37be1eae53df1a71fb7eb3e806c3a9d54aed0d4e329b03422e37b9c50d7e9204ea7

Download Submit
\??\c:\Program Files\7-Zip\7zFM.exe

Filesize
4.5MB

MD5
da5dd2b20ffa4fb24f12201c8dc1793c

SHA1
c9e706b7f834684a6291cd2a1dac57a0a5e71394

SHA256
513463bced2ad3a448ea7ad35c25bdedbe2938f917942015f1374a0dc3ec5686

SHA512
6f475482f7b68d9ca386b82aa605913854cec469c82cf5964db8de61c6b3b7c708948480346992a96be5e74ba0addc3cd124c9c3f2fa148d87cfaca9ea333bee

Download Submit
\??\c:\Program Files\7-Zip\7zG.exe

Filesize
4.3MB

MD5
f355af8bbdf29e5cc5316fe95e0843aa

SHA1
aa6a0d42f9ac97a6f5bc85339e39207cd14caa41

SHA256
aa146ec9900dfedfc68c21701d598c5f4b5acf70cd1cd600e0ebcec2f586427b

SHA512
2cf436892e769fd479ed0de4407611c01ad10283744ee9137ebd9b580fc9e1b7a749c3396ddee5d9bbbbcbc9d1343ab65dc9f6bdada82a3e07a83a4f0e3a399b

Download Submit
\??\c:\Program Files\7-Zip\History.txt

Filesize
3.6MB

MD5
457f7d649defb60ac82e6e77962e3a69

SHA1
9d5c9671da95d728e5cecbdd25e8b70a54b63a40

SHA256
d9a62def9d5ab8cdcd61405368b658f9d593e23f9d86d76be1ed3f5a596cbe59

SHA512
42b5c5287f29340c2f90062241bb323f822f048771dedda906a67f366aec79d3040feb095c2448ddda989dd507a202e182524fa90348f09bcf585ca59d987af0

Download Submit
\??\c:\Program Files\7-Zip\Lang\af.txt

Filesize
3.6MB

MD5
f37be30afeb9d92778840d8e733bd0f1

SHA1
af13da9ccdb67fe2b70669629d8485c717bf9f0f

SHA256
c4579c6a7639390f13a21b9c16c1cc22ff4c1bf661b1383fe708f76d1d297951

SHA512
b739cdef5dba37eb0bd4ab67f0d80b5349e252470ba256c9d573c5c8f74a7fa3361aeadc1e5d02dd32b78c94911a594fcf86c7d3683f5bc9c12d44a4c7a1b81d

Download Submit
\??\c:\Program Files\7-Zip\Lang\an.txt

Filesize
3.6MB

MD5
5d3d4ca06e513bd9ac3470e5f1e5c8f8

SHA1
92e22860f5cc056496e17ecd887b004efdf60a10

SHA256
eb7f592154b705287b9d370f7244fbff0310f921db3d1180d70d48995f78c2b4

SHA512
178a371f8530e03f05980c2fcc1f64b48335d039b3747a51fbcdb74f83aa6f72f82f33910653212e6f6eedd7ae0e670731fa846b384a50bc0be1aa43a4014cb4

Download Submit
\??\c:\Program Files\7-Zip\Lang\ar.txt

Filesize
3.6MB

MD5
b3fc0a8bfb6805a301c11028dc4f6515

SHA1
ae7bc3534eff21f1fd8e428063aa542098d45c12

SHA256
225cf5bcc8ca846ab076e44cf01ed1b6ca309c717f416479f9c508f6b7ce7496

SHA512
598ab3dff52ba939459bd770a2af4f3fc9a46838a50ce208411fbdf691548b42b719cc3e5ce46800b4b2d258d7b7600a0d8421ec84c52a2fdc84dbff84863a06

Download Submit
\??\c:\Program Files\7-Zip\Lang\ast.txt

Filesize
3.6MB

MD5
1926753ee4e76afe6bd47ec23138fc9b

SHA1
33b5437729b492d84a7f748fae294665b4f7f3ed

SHA256
d1a480508b446c7bb74cd8c71927da3631685f4700aa7355104432e977514f8a

SHA512
2f41f3e7851190fa025fdfaadf47c9327681781d68acb5de7ca53f005385e9af4eb4409730ed0afff01aba7cdd3736003e8041891cefe3bb3cdf31cceabbdd2a

Download Submit
\??\c:\Program Files\7-Zip\Lang\az.txt

Filesize
3.6MB

MD5
20b91a26b2d0b0cb31d684f97b5cd1d8

SHA1
9361baf0746818abfb0761c5e34efd17ea81b6f4

SHA256
925e8624143aa1aa73ed8ed43ee57de010d26f579a84920be1b04740bcf2a52a

SHA512
c4cd6b19abdb07d7ae67dcf0049c76f055a886b78dafe417b0a69b8510712e56dd03f47a3965055eb906ca8f2322b906fe2d4d69bedcc4a5e567bd406e6281f1

Download Submit
\??\c:\Program Files\7-Zip\Lang\ba.txt

Filesize
3.6MB

MD5
17775530b25807bd9e5d863a59cc43dd

SHA1
c4b8aced8341df612c0bef71afdafe57a5718bf7

SHA256
c4548fa51a7da93383990ab71ccad94e4beb0fbcdedff9ec0b03749ca50a809e

SHA512
70c3b115368a6d69705ff6a4cffbffc754f3850ad0716a5949723f6a0c0b9fc511742eba085b8197875dc66c1d622358782c23594d11c4153a46eeab2502ae5f

Download Submit
\??\c:\Program Files\7-Zip\Lang\be.txt

Filesize
3.6MB

MD5
579b50a5d370a9e5470fb3bd9650dbdb

SHA1
703af96bcddcdc69c0786ca78a83938f28eb848b

SHA256
eba350f28ada42b2a08ebdb32ca57c7f06776c159a0e553960779b555730f9df

SHA512
39ecc6b80b04900aac8f1814e43c2cc62350513c7d8ca31bd64c4230248af8b8fd79a1fa66fff877cbe925295096e8f01ef92ea47da10a0f4ef5b4002ff43347

Download Submit
\??\c:\Program Files\7-Zip\Lang\bg.txt

Filesize
3.6MB

MD5
26ada37e291ca228425cf3442194a55b

SHA1
e4914e8bf3bfb044868cee8b3de61a5e89cd0570

SHA256
e7397f47f13b66bc7aa28892fa112b2bdae34a3d81488adb3af28f5c6fd58231

SHA512
404e8c7aadecd90ca14bc08047c00bbfc746536f7a89b8e8fa2b1f4ca3a9bc7044f302ba6ae0835f403ffcbe5f98b31b2e13eb66c13241307415379f7e60165e

Download Submit
\??\c:\Program Files\7-Zip\Lang\bn.txt

Filesize
3.6MB

MD5
c3e4ba5314e75a4e450c832d3e7c8ecb

SHA1
5c0aebe2444171dd100e7bc5d55c7b7769c45d93

SHA256
d110f2aad8a58441a2e17c07fda8efa4b198d891de4664f09554485e376ed152

SHA512
6e04ecfc853814ce083a6e770f6cbea9ef87bcc5130398e3f1137229ea7eaa66b0d67f4577e627def9f14f6423d453413f4bc2ab6e6ed8972128bd4aee198c17

Download Submit
\??\c:\Program Files\7-Zip\Lang\br.txt

Filesize
3.6MB

MD5
054581ceb27f91734e5fb4656f2725a5

SHA1
b5dfdfb4ff9baf0a14a0e4073a49c0e657263129

SHA256
2e33162490ea9022997cc465a176a1aa0129eb3d5f4d0589d4acc38f5e0fe116

SHA512
a1bf9fd1912479abab644e0504cdb6ccea4848f276fa05ac755c9468796bd8354a266b076363bfd3c4f346e5ce7db17fbad5e5fbaf856c6f2da22304f4c96ae8

Download Submit
\??\c:\Program Files\7-Zip\Lang\ca.txt

Filesize
3.6MB

MD5
16657c032b20c0d31bdf68dbfa69ae0c

SHA1
2674b31302d8b2d46b7101c5b3e9d57316b26667

SHA256
8eb438b7a147cf47efa5111f581295dc70099010e5d9a803774b2aa5521e77c4

SHA512
879ee9b33a95b833184e6ab31d2ce21eeb6d6550e790624ec41e496dd568a2d1f74a122b25aea36a38bea8076a3dc2482d63bf7099e8e55f88dfad86d29c8362

Download Submit
\??\c:\Program Files\7-Zip\Lang\co.txt

Filesize
3.6MB

MD5
800a45c9f7a2619cc6791f9c05b6b913

SHA1
bd4c24c1e111c1692fbde4529a6a5280619c1edb

SHA256
236f00f30964df9613a364bdbd317d70ed43b4b46cda74483ed2904cd9cd6114

SHA512
c06dd6a2199b4f0db0886d5ae54d6f445ede008ef2c9643896d7b639b821bb389c7c8408cf2d526c59e3098254257bb0f0331b545f61db1a734f568f3ed55d07

Download Submit
\??\c:\Program Files\7-Zip\Lang\cs.txt

Filesize
3.6MB

MD5
d255d7783c6f56c3005fe2e78fe34467

SHA1
583250a3b5be466cce105bad17cb7491564d57d0

SHA256
31b55bd49be66fbc51082ec4a43b524118768cca4b4942f720eae8216c94dee2

SHA512
981b64c13ab1d7e3f7044f205b4414994193799efafcc78da882278c5cfa1fd03a76e205cd54d3199b1f0910b6274358cb92f7ad9d3ba1a47499a46026887413

Download Submit
\??\c:\Program Files\7-Zip\Lang\cy.txt

Filesize
3.6MB

MD5
1726599877187f479353d898f765d212

SHA1
cd0676589caa694371a0f7178fce55d8fa147070

SHA256
48c6bf474b9ee73b26c6a522742cb78444aac85a6ba6176e0f4a846dbb3fb6f5

SHA512
9168e34ffc53e33aafbf6d927020d5e5b3abf5f6a696a939ebc2d6913165765cd4f1244330256553a39e07395ba0f8bd190a05d33f72d78d18b5cef010846985

Download Submit
\??\c:\Program Files\7-Zip\Lang\da.txt

Filesize
3.6MB

MD5
0cf92f0fd039496f2a1a59674c15b4c1

SHA1
3dd3af4f2b34bbef0afa3f0a97a41a062c249995

SHA256
a7787e4868beae7ad347944b8c25b7aa77761c73b67e9bd685d9337f51f9b1d9

SHA512
01ac1849bfd243e3e2715182916859381811e738620ffcdce9fb52c1aff88efeccb964e07341f3297992ceaaa328ecfd43e773398d2838db653898fee8b1b281

Download Submit
\??\c:\Program Files\7-Zip\Lang\de.txt

Filesize
3.6MB

MD5
2efce12f3720b6c9637ff144c8c6bedb

SHA1
e659ccec47287ec2ed5fc9331851eac184e7b106

SHA256
95740bebb7f5580058ec7b2985b027fac9111a39801a6b251072d60d4204a6c3

SHA512
2178093cef9d5c00b4d1d706601a43099f1f5a2af4f3bb5bcb0ef47074d0005903f350eed96a38a99c774eab92280745c7ce0fc34781871a07921304a9c750dd

Download Submit
\??\c:\Program Files\7-Zip\Lang\el.txt

Filesize
3.6MB

MD5
b37537d00b2275b2b9f1a540248e5e20

SHA1
d1ea0f5661132d0040c8673afce1619b2ac01484

SHA256
8b85fa882ff3b314f4036a82c26a9af0f9f5f59accb8c4020958709c5d5cfb43

SHA512
e6f884ce75759a7f122773853ee19047e876b89ddb64f502c73fcffec7375b43c48d719df37acaeb3b5c9639907d39f00b50214cd5f7266ec5248038ff0adeea

Download Submit
\??\c:\Program Files\7-Zip\Lang\en.ttt

Filesize
3.6MB

MD5
37297552ba6ef751d99584d17cc75d73

SHA1
73f3631436c20aa7bd968ad08238172c1f013e49

SHA256
5351f83685ad4faffdd4f9a1faca03b19c0a5f20284e2fee1e6ba19ca124883e

SHA512
9d284368847ea6ff51bfeb4b2c608c32a393a1e7b9fce739f1a35137496a1d394681ac9ba466ef105b0dea64ec7ed44f2dc9a05779acfae4a04fc6ea20a9fdaa

Download Submit
\??\c:\Program Files\7-Zip\descript.ion

Filesize
3.6MB

MD5
ed52d70ab8937c5c2e9c76227fcc734c

SHA1
a22b383c2324edd08d89af7f4e54283b3f8affae

SHA256
f35f182ee6e7c268e719fa5d8871886b36c4e91ef0b411014f88fbf596fa77fb

SHA512
4181c2d575a1ff8582ae505a946960e9cb3eeceb213b4cab883c3d24f141efdfbc48c9c08476141214169bd6fbc5910716505638a30592e40ecc4fb576cf89f3

Download Submit
memory/680-2092-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/680-4005-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1948-4191-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2432-7499-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2432-7635-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2536-7550-0x0000000073BE0000-0x0000000073C62000-memory.dmp

Filesize
520KB

Download
memory/2536-7795-0x0000000000970000-0x0000000000C6E000-memory.dmp

Filesize
3.0MB

Download
memory/2536-7553-0x0000000073860000-0x0000000073882000-memory.dmp

Filesize
136KB

Download
memory/2536-7554-0x0000000000970000-0x0000000000C6E000-memory.dmp

Filesize
3.0MB

Download
memory/2536-8356-0x0000000000970000-0x0000000000C6E000-memory.dmp

Filesize
3.0MB

Download
memory/2536-8189-0x0000000000970000-0x0000000000C6E000-memory.dmp

Filesize
3.0MB

Download
memory/2536-7551-0x0000000073920000-0x0000000073B3C000-memory.dmp

Filesize
2.1MB

Download
memory/2536-7678-0x0000000073BE0000-0x0000000073C62000-memory.dmp

Filesize
520KB

Download
memory/2536-7688-0x0000000073860000-0x0000000073882000-memory.dmp

Filesize
136KB

Download
memory/2536-7689-0x0000000073BC0000-0x0000000073BDC000-memory.dmp

Filesize
112KB

Download
memory/2536-7687-0x0000000073890000-0x0000000073912000-memory.dmp

Filesize
520KB

Download
memory/2536-7680-0x0000000073920000-0x0000000073B3C000-memory.dmp

Filesize
2.1MB

Download
memory/2536-7552-0x0000000073890000-0x0000000073912000-memory.dmp

Filesize
520KB

Download
memory/2536-7679-0x0000000073B40000-0x0000000073BB7000-memory.dmp

Filesize
476KB

Download
memory/2536-7676-0x0000000000970000-0x0000000000C6E000-memory.dmp

Filesize
3.0MB

Download
memory/2996-7634-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2996-7494-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3548-7802-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3656-7659-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3656-7794-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3840-7644-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3916-7636-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4304-7731-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4304-7806-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4584-7803-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4812-7809-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5244-7283-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download