Resubmissions
24-01-2022 18:12
220124-ws75xsgcf6 114-01-2022 15:34
220114-szqyfahceq 1008-01-2022 19:45
220108-ygvfssdbh9 1008-01-2022 19:45
220108-ygvfssdbh8 1008-01-2022 19:34
220108-x95xkadbh3 807-01-2022 14:28
220107-rsy5sscda4 1006-01-2022 19:07
220106-xszdfsbee2 10Analysis
-
max time kernel
318s -
max time network
351s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-12-2021 17:50
General
-
Target
https://youtube.com
Score
10/10
Malware Config
Extracted
Path
C:\HJPEH-MANUAL.txt
Family
gandcrab
Ransom Note
---= GANDCRAB V5.2 =---
***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************
*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .HJPEH
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
| 0. Download Tor browser - https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/c51f259fdf60d9
| 4. Follow the instructions on this page
----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
lAQAAEKqxvD3Gx1Guix9gVoiOpOB1gjVPn1ARzd3Alfd+/jrY6QNPtf3naxp4HHiiMPF1oIueiHdXBcydeAhr7xnKw7LX1vIS/wFXJ3gy18wu+vO1mfzyF0Bq7wShmGclnWLbDJcR7oocEKVx5unSzXccG7fwh5xI9jNHWqdeSLisamlcOGEGqVYyqgFRhRJ4QQtkgeHLOuM49XvEeukxvWch/tBsv2KBUMVK1DOKwhw/7qZTAgLWSo5Cp8rn+hZfmVUeM9nyO+chkhS9xUQ+yYD/Z/vd30grAeu3XfeHuX8pwFwAYcvSHZVS7eNVTe5sKOtVAES0HInJb9JFs7/HlXHN7Pxoc9il5334QddU8c2qcogcVD6NYSJh50d/orBXNsro6TCHoOZFlcVm8zWGjLPkMnic3qNx/6eG383M09S75A6D9guaRaEW2173pzvvqcH7YMkXb6DoFaOUbhDq2hHZVdKADgNBHJ+1/2gvSWJUGfcvKrFV1WMv5KbUv/dIYjHrJLODITqtIC4Z3O4mb4jcD3NK9HqLJzO3E14OWtQxetrZ80Fs+qhAs0z1LWRx8c+4shp2ksyeiA7qXfk5Mc2p5eTEDC87LBRA0ka4tescPThacMZvv3X1L+no3Zu2iZem7epHJTZQYVMwX2gPOe/TMtknzdxcUbLqH07Imw7TU6bIlwMXvhQRgZXq0IIljp6l9d7akv+aapnLaP03Ab599PnKdMMfN0v/tkrlYoQMUTvCbyAR36kCiwLoMDSSU06OOb8kus9I6dmN5oVLIf1kNKK1pC2aaZhSdlkAaNjnLyGQq1rEsiWb/ef7aO6PNQWIfmByvHMp95IDMxql247+4pxiT5HAOcJfJCNr5z7ZM4IXa77OWN0dEi9CkfiI760X2Y7vhVQ1wBUc05NiiS2emHFE/GBndADf+ibl4TEvdir1XBDFaEA+0PJOZufhlfTfpEBeDhHiXYfPodSzqa6xLsq4w1WK1b+a4Mw/Jknnng62yKCZAB9gKiDEteYNT1qgFutN5ZzRiCZzr3NmZ6mheLngH0dnlzo0jfZC5ZYTOvuLEJPfPAQEEsw0kwAD0av/dc5GARPz71x9rDTHCOFzaMRAufLI+8EP0nS4caIyDhWOeLh3Z8bAyuj6/Lsy98yj2vdO1ZgSKgKtJH4kFIVwJn4X78C8WFwgBv45vOftY2wjB3vPAQ+PpM43cBtUv97wgwLPSvn0gHruTVJ/LdoqRci6jSgSrOqWrLnufYwkT6Xj6+T+zrn2yJk/tBQaY3PJAUCvxqbE8n50wuiFbIZpz3Epado07dBUXHYB6isyH75Rb6/19BkUxkkjmuOJj8VEmcmhD0qKoyhvAxiQwR0939s6qrrRTQdxcamxljrThfq+KDSwRHXkxfU+jXqmwCmW0xH6MLQLt21/otidde8IItPKqO6KlFz1hqH6v8BYUM41EDVnVbuukEMxR4meYq2cclnlf0yUfnu7TXjMxcAlFvfW0w2s3i1NsW8SVTgfDOijL27HqPW5GmvodJyHKgcMaGPsTJKn7xpxbHCfMeAstLr+F3nqREk3d6N3cZmk2G26u2SP35oQQpKdHReeK+OrNd4D4KnvGRnzu/SmcF6MugSxAARdwiOvCrCbcoSF5guQmUbOXtaOKqfs2b0U9oMf1bxJfh+lyZGHADYxJzoDhS0G3xW1fG1Jtfvi9RP98TqrceB845AT4oWF98GiyAm0AYjBypxYFwtEb0j6ilDetRf+B0WbFb7ewL0Coua2h2Z6nC8CMZZnzMEQfUJF+QguvU06gDmf262R9ktGuiDwurlsHmB4/rs2/bkUf8F3/NmKAHC/28b2RhRBz7PSoavOS03b3YCHnE8ZBpFoE2gW7BBxWt1+ji0EbVCp6HGBuExlzo5rvSaSdri5ysdptqMTLPv6e+Ojn0LdaQ1fRmP9O4jcT2r46lajWVi1inRDJQWVQUeww2zbE+ltlwq8+DXaVmsuwSsnpwUei6Pd22XoZZfWRAwbvggWihv/3CXjn81SPl4nFtQ5u4PjwICSR301Za8gSLs08MjUd9BCmJ9oIM8r8EPokWDs6+He0DoiRcF/HqDP9pI5fPRMCV6zduH5GbsYO0zVYYzAPrXNkp2KmbGdCM9LENo2eX584lCMX0i9q8zTv0+5pbd4o08rioylwv82DWL8FALyI0SDYyFo2fAmuHwhDxd6p6NN3cYg1cZvZ363g2XzVlDg3jkdVO7i7+Swrw=
---END GANDCRAB KEY---
---BEGIN PC DATA---
7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDz9NTJN5DRAuyVsODZRWLIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNxjWLwyoIX95yRHFXKdMI+BkVChenio/1q0nJSZoF9ASQvO7zBnmOH7+ICDGAMpA6ikRTAVJPeY0x9SBCDAtLOJK9BZBnJqqMY+R7S3OLHamYyR2EfUP9Tyj/NvLMLjIKOKr31WweYTT0LJ2PaxLzN0vveOSzCzgKAooTvFp52CPC+x4ShHudvoPFoD6iWVwumrqBpvYbwCrtMytS9e1a6lUjmS7q14AOwugXqwckyKb/0f4NwELWWjqbjawFji+DPJKLqg0o3dWOf+twlLvHCigIFeEudEtyMvAIvhltRRIBf1D0HFyeWMPZ1Z1lc/pOQ=
---END PC DATA---
URLs
http://gandcrabmfe6mnef.onion/c51f259fdf60d9
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
UAC bypass 3 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 10 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 33 IoCs
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry 2 TTPs
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 7 IoCs
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 38 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 32 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 61 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe70c84f50,0x7ffe70c84f60,0x7ffe70c84f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1536 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2880 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4100 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5056 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2944 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5204 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5676 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5620 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4688 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5600 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5580 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5508 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3208 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6008 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3220 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5880 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5656 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:82⤵
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=RuRBqrIGEQGpF+GadOfc7Y+eOqwPasJcIH6+dADS --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=96.276.200 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6d3e5f510,0x7ff6d3e5f520,0x7ff6d3e5f5303⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3168_OYDKRCEKIUBFRSKC" --sandboxed-process-id=2 --init-done-notifier=720 --sandbox-mojo-pipe-token=1791137155801378184 --mojo-platform-channel-handle=696 --engine=23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3168_OYDKRCEKIUBFRSKC" --sandboxed-process-id=3 --init-done-notifier=924 --sandbox-mojo-pipe-token=10874859809171559376 --mojo-platform-channel-handle=9203⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5964 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1016 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1284 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1424 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1520,15936392433086943174,4623671684009941973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5824 /prefetch:82⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Ransomware\Cerber5.exe"C:\Users\Admin\Desktop\Ransomware\Cerber5.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___993VY9PI_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 17403⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___FKSIT4GL_.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "C" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit2⤵
-
C:\Users\Admin\Desktop\Ransomware\DeriaLock.exe"C:\Users\Admin\Desktop\Ransomware\DeriaLock.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Ransomware\Dharma.exe"C:\Users\Admin\Desktop\Ransomware\Dharma.exe"1⤵
-
C:\Users\Admin\Desktop\Ransomware\ac\nc123.exe"C:\Users\Admin\Desktop\Ransomware\ac\nc123.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Users\Admin\Desktop\Ransomware\ac\mssql.exe"C:\Users\Admin\Desktop\Ransomware\ac\mssql.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Ransomware\ac\mssql2.exe"C:\Users\Admin\Desktop\Ransomware\ac\mssql2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Ransomware\Fantom.exe"C:\Users\Admin\Desktop\Ransomware\Fantom.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Ransomware\$uckyLocker.exe"C:\Users\Admin\Desktop\Ransomware\$uckyLocker.exe"1⤵
- Sets desktop wallpaper using registry
-
C:\Users\Admin\Desktop\Ransomware\7ev3n.exe"C:\Users\Admin\Desktop\Ransomware\7ev3n.exe"1⤵
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Ransomware\InfinityCrypt.exe"C:\Users\Admin\Desktop\Ransomware\InfinityCrypt.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Ransomware\Birele.exe"C:\Users\Admin\Desktop\Ransomware\Birele.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Ransomware\BadRabbit.exe"C:\Users\Admin\Desktop\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Modifies extensions of user files
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1993666915 && exit"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1993666915 && exit"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:21:003⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:21:004⤵
- Creates scheduled task(s)
-
C:\Windows\472.tmp"C:\Windows\472.tmp" \\.\pipe\{4924D939-AC2A-4061-BECF-A47ECD476C0E}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Ransomware\GandCrab.exe"C:\Users\Admin\Desktop\Ransomware\GandCrab.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ada055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Modify Registry
5Bypass User Account Control
1Disabling Security Tools
1File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exeMD5
75ea9cd845ff0a9b46043972dfed4368
SHA1e672a812c729a88c94d4a43dfecbdffb12337fc9
SHA25640aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673
SHA512b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exeMD5
75ea9cd845ff0a9b46043972dfed4368
SHA1e672a812c729a88c94d4a43dfecbdffb12337fc9
SHA25640aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673
SHA512b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exeMD5
75ea9cd845ff0a9b46043972dfed4368
SHA1e672a812c729a88c94d4a43dfecbdffb12337fc9
SHA25640aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673
SHA512b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exeMD5
75ea9cd845ff0a9b46043972dfed4368
SHA1e672a812c729a88c94d4a43dfecbdffb12337fc9
SHA25640aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673
SHA512b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exeMD5
75ea9cd845ff0a9b46043972dfed4368
SHA1e672a812c729a88c94d4a43dfecbdffb12337fc9
SHA25640aa60810b802c5d68c3c105414fed22ad7481c34eed213fec4da5d59a125673
SHA512b58d83663c0bfcd916e25f17215892f80d3511e4905c7348a45be3cdc80557c83ba6f2d1933a1db8f1d369d4cd02d2066cafb2d48c9a538054ce6d5fff97cdba
-
C:\Users\Admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.logMD5
7b81fca6115c56acb733d797848b4a74
SHA11da4b834dd386e43fb4a7e5fa24b2d0d38710e19
SHA2560e38101a328e4358bbc9b820af72fc1baefe1ec5ec3a72c152d712d1d8d0d6d1
SHA512cb02008389116b9ec1b98dbda65e9bcb1846f0607527e92154b5c8df4e4f954b72fc64bfaa97c5af9ea2179cfe9dc9d129fbf21d1ff57ae2eb64ceb53e1bb8dd
-
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.datMD5
4970c6281b87fe28ada9147960a5cbbd
SHA12fb75e20a63355cf4ceef892a266ed2d27b4dea1
SHA256c5c0263e3adfb60840d0dba02b121781167b27e1be3c5a0635d44e7731e932a6
SHA512fc0af1aa89a03dbfca77c77bc8c61de7f02629487281b45f06e195fdd1ae76f3b6eee8b8e06085dd60bfc693f6184b8a9e6bdb3fe566375e5c0a9ee09071f41d
-
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.datMD5
4970c6281b87fe28ada9147960a5cbbd
SHA12fb75e20a63355cf4ceef892a266ed2d27b4dea1
SHA256c5c0263e3adfb60840d0dba02b121781167b27e1be3c5a0635d44e7731e932a6
SHA512fc0af1aa89a03dbfca77c77bc8c61de7f02629487281b45f06e195fdd1ae76f3b6eee8b8e06085dd60bfc693f6184b8a9e6bdb3fe566375e5c0a9ee09071f41d
-
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.datMD5
4970c6281b87fe28ada9147960a5cbbd
SHA12fb75e20a63355cf4ceef892a266ed2d27b4dea1
SHA256c5c0263e3adfb60840d0dba02b121781167b27e1be3c5a0635d44e7731e932a6
SHA512fc0af1aa89a03dbfca77c77bc8c61de7f02629487281b45f06e195fdd1ae76f3b6eee8b8e06085dd60bfc693f6184b8a9e6bdb3fe566375e5c0a9ee09071f41d
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\edls_64.dllMD5
e9a7c44d7bda10b5b7a132d46fcdaf35
SHA15217179f094c45ba660777cfa25c7eb00b5c8202
SHA25635351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1
SHA512e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em000_64.dllMD5
d0cf72186dbaea05c5a5bf6594225fc3
SHA10e69efd78dc1124122dd8b752be92cb1cbc067a1
SHA256225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907
SHA5128122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em001_64.dllMD5
7adcb76ec34d774d1435b477e8625c47
SHA1ec4ba0ad028c45489608c6822f3cabb683a07064
SHA256a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d
SHA512c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em002_64.dllMD5
8398e65877faf2f60a611aed37c7d638
SHA1b21222cda1590ead5e07f9253ac08ea4796a0031
SHA256f8ae1f73552c0881660fc4c1c6690a73097e535f6b93b3d9d263c03fe309183f
SHA5123ac54c58bab7a78164e2f536d02349ba36c83e904807a20889f0203de29ae217e4d7a12e4be40bf37f5757a329753475e30ebe720791afdc8f84251f5f159767
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em003_64.dllMD5
3c4af468709f2d586ab4c2819633616c
SHA1965fb6969acadcec77cc9918153b01f56fc209cd
SHA25616bc60d0297ffff802d1b270bca8fded4339ac2f255f50e2a632dffbf369a6c8
SHA512ef2808b02700dc70ecaed4aed3056b196ae38028c9caebace88da058b51c81b264343d045be76cd592737117c1cb1ab6d5291fb344783213f34609ce7ea6970a
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em004_64.dllMD5
68258a5cff71fdaf66bc1ef5da5ac004
SHA1aed0bd7481c36175b3f8267caeab0b3c0fc06520
SHA2569737130b8f090a39e27dd71685315dc5e7c1b6b8a251ac0b9788871d574d7710
SHA5126c4ca70593f83703db1cfb2f24465939a27e771e1e465dee27baf04b202e42653f26ed8713092fabc5b2f82394644295a597c5cb38a1db49eb1a7f0a7f67d8c6
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\em005_64.dllMD5
169a2ef320119891cf3189aa3fd23b0e
SHA1de51c936101ef79bbc0f1d3c800cf832d221eef8
SHA2561072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780
SHA5127fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca
-
\??\pipe\crashpad_2504_HLYNNVJGPOLDBCFXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_3168_OYDKRCEKIUBFRSKCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\edls_64.dllMD5
e9a7c44d7bda10b5b7a132d46fcdaf35
SHA15217179f094c45ba660777cfa25c7eb00b5c8202
SHA25635351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1
SHA512e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em000_64.dllMD5
d0cf72186dbaea05c5a5bf6594225fc3
SHA10e69efd78dc1124122dd8b752be92cb1cbc067a1
SHA256225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907
SHA5128122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em001_64.dllMD5
7adcb76ec34d774d1435b477e8625c47
SHA1ec4ba0ad028c45489608c6822f3cabb683a07064
SHA256a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d
SHA512c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em002_64.dllMD5
8398e65877faf2f60a611aed37c7d638
SHA1b21222cda1590ead5e07f9253ac08ea4796a0031
SHA256f8ae1f73552c0881660fc4c1c6690a73097e535f6b93b3d9d263c03fe309183f
SHA5123ac54c58bab7a78164e2f536d02349ba36c83e904807a20889f0203de29ae217e4d7a12e4be40bf37f5757a329753475e30ebe720791afdc8f84251f5f159767
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em003_64.dllMD5
3c4af468709f2d586ab4c2819633616c
SHA1965fb6969acadcec77cc9918153b01f56fc209cd
SHA25616bc60d0297ffff802d1b270bca8fded4339ac2f255f50e2a632dffbf369a6c8
SHA512ef2808b02700dc70ecaed4aed3056b196ae38028c9caebace88da058b51c81b264343d045be76cd592737117c1cb1ab6d5291fb344783213f34609ce7ea6970a
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em004_64.dllMD5
68258a5cff71fdaf66bc1ef5da5ac004
SHA1aed0bd7481c36175b3f8267caeab0b3c0fc06520
SHA2569737130b8f090a39e27dd71685315dc5e7c1b6b8a251ac0b9788871d574d7710
SHA5126c4ca70593f83703db1cfb2f24465939a27e771e1e465dee27baf04b202e42653f26ed8713092fabc5b2f82394644295a597c5cb38a1db49eb1a7f0a7f67d8c6
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\em005_64.dllMD5
169a2ef320119891cf3189aa3fd23b0e
SHA1de51c936101ef79bbc0f1d3c800cf832d221eef8
SHA2561072d49da0a70640fb9716cb894f4834ff621ca96d4aea1f478754edf4d0f780
SHA5127fe27d360bbf6d410ea9d33d6003ab455cd8b9e5521c00db9bb6c44a7472ccf2083d51034bab5ffc5aef85db36fc758c76b02fa31f0d0024c9d532548a2bf9ca
-
memory/308-227-0x0000000000000000-mapping.dmp
-
memory/732-229-0x0000000000000000-mapping.dmp
-
memory/820-228-0x0000000000000000-mapping.dmp
-
memory/996-167-0x0000000000520000-0x0000000000526000-memory.dmpFilesize
24KB
-
memory/996-165-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1040-214-0x0000000000400000-0x00000000052B3000-memory.dmpFilesize
78.7MB
-
memory/1064-128-0x000001A061CC0000-0x000001A061CC2000-memory.dmpFilesize
8KB
-
memory/1064-125-0x000001A061D37000-0x000001A061D38000-memory.dmpFilesize
4KB
-
memory/1064-131-0x00007FFE7DC20000-0x00007FFE7DC21000-memory.dmpFilesize
4KB
-
memory/1064-130-0x00007FFE7E090000-0x00007FFE7E091000-memory.dmpFilesize
4KB
-
memory/1064-126-0x0000000000000000-mapping.dmp
-
memory/1064-129-0x000001A061CC0000-0x000001A061CC2000-memory.dmpFilesize
8KB
-
memory/1092-226-0x0000000000000000-mapping.dmp
-
memory/1716-196-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/1716-201-0x0000000004963000-0x0000000004964000-memory.dmpFilesize
4KB
-
memory/1716-243-0x0000000005300000-0x000000000530E000-memory.dmpFilesize
56KB
-
memory/1716-185-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/1716-191-0x00000000050B0000-0x00000000050BA000-memory.dmpFilesize
40KB
-
memory/1716-179-0x0000000004970000-0x0000000004E6E000-memory.dmpFilesize
5.0MB
-
memory/1716-183-0x0000000004ED0000-0x0000000004F62000-memory.dmpFilesize
584KB
-
memory/1716-162-0x00000000022C0000-0x00000000022F2000-memory.dmpFilesize
200KB
-
memory/1716-199-0x0000000004962000-0x0000000004963000-memory.dmpFilesize
4KB
-
memory/1716-168-0x00000000048F0000-0x0000000004922000-memory.dmpFilesize
200KB
-
memory/1716-181-0x0000000004964000-0x0000000004966000-memory.dmpFilesize
8KB
-
memory/2164-237-0x0000000000000000-mapping.dmp
-
memory/2336-148-0x0000000000000000-mapping.dmp
-
memory/2336-150-0x000002355BC30000-0x000002355BC32000-memory.dmpFilesize
8KB
-
memory/2336-147-0x000002355BCAE000-0x000002355BCAF000-memory.dmpFilesize
4KB
-
memory/2336-151-0x000002355BC30000-0x000002355BC32000-memory.dmpFilesize
8KB
-
memory/2688-234-0x0000000000000000-mapping.dmp
-
memory/2832-193-0x0000000004C80000-0x000000000517E000-memory.dmpFilesize
5.0MB
-
memory/2832-166-0x0000000000310000-0x000000000037E000-memory.dmpFilesize
440KB
-
memory/2832-175-0x0000000005180000-0x000000000567E000-memory.dmpFilesize
5.0MB
-
memory/2832-180-0x0000000004BC0000-0x0000000004C52000-memory.dmpFilesize
584KB
-
memory/2832-209-0x0000000004C80000-0x000000000517E000-memory.dmpFilesize
5.0MB
-
memory/2832-190-0x0000000004BB0000-0x0000000004BBA000-memory.dmpFilesize
40KB
-
memory/2832-161-0x0000000000310000-0x000000000037E000-memory.dmpFilesize
440KB
-
memory/3056-158-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/3056-159-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/3168-119-0x000002085D440000-0x000002085D442000-memory.dmpFilesize
8KB
-
memory/3168-118-0x000002085D440000-0x000002085D442000-memory.dmpFilesize
8KB
-
memory/3168-116-0x0000000000000000-mapping.dmp
-
memory/3252-176-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3252-172-0x0000000001640000-0x0000000001671000-memory.dmpFilesize
196KB
-
memory/3256-233-0x0000000000000000-mapping.dmp
-
memory/3592-178-0x0000000005C90000-0x000000000618E000-memory.dmpFilesize
5.0MB
-
memory/3592-194-0x0000000005650000-0x000000000565A000-memory.dmpFilesize
40KB
-
memory/3592-182-0x0000000005790000-0x0000000005822000-memory.dmpFilesize
584KB
-
memory/3592-252-0x00000000015A0000-0x0000000001606000-memory.dmpFilesize
408KB
-
memory/3592-170-0x0000000000E00000-0x0000000000E3C000-memory.dmpFilesize
240KB
-
memory/3592-163-0x0000000000E00000-0x0000000000E3C000-memory.dmpFilesize
240KB
-
memory/3592-189-0x0000000005790000-0x0000000005C8E000-memory.dmpFilesize
5.0MB
-
memory/3592-173-0x00000000056F0000-0x000000000578C000-memory.dmpFilesize
624KB
-
memory/3592-253-0x0000000005790000-0x0000000005C8E000-memory.dmpFilesize
5.0MB
-
memory/3592-197-0x00000000058F0000-0x0000000005946000-memory.dmpFilesize
344KB
-
memory/3676-232-0x0000000000000000-mapping.dmp
-
memory/3680-236-0x0000000000000000-mapping.dmp
-
memory/3708-231-0x0000000000000000-mapping.dmp
-
memory/3792-244-0x0000000000000000-mapping.dmp
-
memory/3792-245-0x0000000000830000-0x000000000083C000-memory.dmpFilesize
48KB
-
memory/3792-246-0x0000000000830000-0x000000000083C000-memory.dmpFilesize
48KB
-
memory/3792-247-0x000000001C930000-0x000000001C932000-memory.dmpFilesize
8KB
-
memory/3956-235-0x0000000000000000-mapping.dmp
-
memory/3960-123-0x0000014F4DB60000-0x0000014F4DB62000-memory.dmpFilesize
8KB
-
memory/3960-122-0x0000014F4DB60000-0x0000014F4DB62000-memory.dmpFilesize
8KB
-
memory/3960-120-0x0000000000000000-mapping.dmp
-
memory/4024-169-0x0000000004DE0000-0x0000000004E7C000-memory.dmpFilesize
624KB
-
memory/4024-192-0x0000000004EA0000-0x0000000004EAA000-memory.dmpFilesize
40KB
-
memory/4024-164-0x0000000000570000-0x00000000005F2000-memory.dmpFilesize
520KB
-
memory/4024-186-0x0000000004EE0000-0x00000000053DE000-memory.dmpFilesize
5.0MB
-
memory/4024-208-0x0000000004EE0000-0x00000000053DE000-memory.dmpFilesize
5.0MB
-
memory/4024-195-0x00000000050E0000-0x0000000005136000-memory.dmpFilesize
344KB
-
memory/4024-160-0x0000000000570000-0x00000000005F2000-memory.dmpFilesize
520KB
-
memory/4024-174-0x00000000053E0000-0x00000000058DE000-memory.dmpFilesize
5.0MB
-
memory/4024-177-0x0000000004F80000-0x0000000005012000-memory.dmpFilesize
584KB
-
memory/4100-184-0x0000000000000000-mapping.dmp
-
memory/4116-250-0x0000000000000000-mapping.dmp
-
memory/4132-200-0x0000000000670000-0x00000000006D8000-memory.dmpFilesize
416KB
-
memory/4132-206-0x0000000000670000-0x00000000006D8000-memory.dmpFilesize
416KB
-
memory/4132-187-0x0000000000000000-mapping.dmp
-
memory/4152-248-0x0000000000000000-mapping.dmp
-
memory/4156-188-0x0000000000000000-mapping.dmp
-
memory/4216-240-0x0000000000000000-mapping.dmp
-
memory/4268-230-0x0000000000000000-mapping.dmp
-
memory/4344-238-0x0000000000000000-mapping.dmp
-
memory/4356-207-0x0000000000000000-mapping.dmp
-
memory/4420-239-0x0000000000000000-mapping.dmp
-
memory/4432-210-0x0000000000000000-mapping.dmp
-
memory/4440-251-0x0000000000000000-mapping.dmp
-
memory/4480-211-0x0000000000000000-mapping.dmp
-
memory/4508-249-0x0000000000000000-mapping.dmp
-
memory/4516-212-0x0000000000000000-mapping.dmp
-
memory/4516-213-0x0000000002963000-0x0000000002966000-memory.dmpFilesize
12KB
-
memory/4644-215-0x0000000000000000-mapping.dmp
-
memory/4688-216-0x0000000000000000-mapping.dmp
-
memory/4736-217-0x0000000000000000-mapping.dmp
-
memory/4780-218-0x0000000000000000-mapping.dmp
-
memory/4804-219-0x0000000000000000-mapping.dmp
-
memory/4824-220-0x0000000000000000-mapping.dmp
-
memory/4852-221-0x0000000000000000-mapping.dmp
-
memory/4864-242-0x0000000000000000-mapping.dmp
-
memory/4896-222-0x0000000000000000-mapping.dmp
-
memory/5068-223-0x0000000000000000-mapping.dmp
-
memory/5080-224-0x0000000000000000-mapping.dmp
-
memory/5104-241-0x0000000000000000-mapping.dmp
-
memory/5112-225-0x0000000000000000-mapping.dmp