Overview

overview

10

Static

static

5

13160edab7...b4.pdf

windows10_x64

10

Resubmissions

20-03-2022 09:45

220320-lref4sbghm 10

20-03-2022 08:52

220320-ks5t1sbca7 10

20-03-2022 07:17

220320-h4fyxsaee6 10

20-03-2022 06:45

220320-hjkrdaabg5 10

Analysis

  • max time kernel
    2110s
  • max time network
    2019s
  • platform
    windows10_x64
  • resource
    win10-20220310-en
  • submitted
    20-03-2022 09:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4.pdf

  • Size

    2.6MB

  • MD5

    7f6060451f81564336bd5d9e5c95797a

  • SHA1

    70c756af084d013e703d5e1c0f561eea6cb2f781

  • SHA256

    13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4

  • SHA512

    c5263836ef7264e48e4166042827340244fe430b490ad41acde7fef378757731e7d3fecfe05c5d75695d32dcba7a13db86bea36366c5f4fb1e0ea3e321032abf

Score
10/10
prometheusryukdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\sample.txt

Family

ryuk

Ransom Note
%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"553f5c1e-a363-4b45-8eac-425444a78b00","type":"vulnerability","category":"External analysis","value":"CVE-2019-1003029","comment":"A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier","description":"","mitre_techniques":[],"campaigns":[{"id":"6f03a212-a5c5-4146-ac93-b57af6ebcf57","name":"Multiple Vulnerabilities And Tactics Used To Spread Capoae Malware","description":"The Capoae malicious software exploited multiple vulnerabilities and used weak credentials to attack Oracle WebLogic, ThinkPHP, WordPress, and Jenkins servers. Web shells, port scanners, and XMRig mining software were dropped onto the infected systems to mine for digital currency and find additional devices to infect. The malware maintained persistence by adding an entry to crontab and adding a public key into the SSH authorized_keys file. \r\n\r\nMcAfee’s ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Akamai Technologies and shared publicly https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-22T21:08:45.000Z","external_analysis":{"links":["https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread"]},"is_coat":0,"created_on":"2021-09-22T21:08:45.000Z"}]},{"id":"55424f67-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"55459d45-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"5548bf24-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"554c1128-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"554f1351-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to
Emails

\"github@eset.com\"

\"cdoman@cadosecurity.com\"\r\n
URLs

https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-22T21:08:45.000Z","external_analysis":{"links":["https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread"]},"is_coat":0,"created_on":"2021-09-22T21:08:45.000Z"}]},{"id":"55424f67-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2021-07-16T21:00:52.000Z","external_analysis":{"links":["https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/","https://www.cadosecurity.com/post/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211","https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211"]},"is_coat":0,"created_on":"2021-07-16T21:00:52.000Z"}]},{"id":"55521ab5-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html","threat_level_id":1,"kb_article_link":null,"coverage":{"dat_version":{"min":4695}},"updated_on":"2022-03-10T22:12:48.000Z","external_analysis":{"links":["https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html","https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html"]},"is_coat":1,"created_on":"2022-01-25T16:59:37.000Z"}]},{"id":"55587287-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://unit42.paloaltonetworks.com/bazarloader-malware/.","threat_level_id":2,"kb_article_link":"https://kc.mcafee.com/corporate/index?page=content&id=KB95149","coverage":{"dat_version":{"min":4458}},"updated_on":"2022-02-21T18:23:50.000Z","external_analysis":{"links":["https://unit42.paloaltonetworks.com/bazarloader-malware/"]},"is_coat":1,"created_on":"2021-05-21T19:46:56.000Z"}]},{"id":"555b74bd-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

Extracted

Path

C:\Users\Admin\Desktop\try.txt

Family

ryuk

Ransom Note
%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"553f5c1e-a363-4b45-8eac-425444a78b00","type":"vulnerability","category":"External analysis","value":"CVE-2019-1003029","comment":"A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier","description":"","mitre_techniques":[],"campaigns":[{"id":"6f03a212-a5c5-4146-ac93-b57af6ebcf57","name":"Multiple Vulnerabilities And Tactics Used To Spread Capoae Malware","description":"The Capoae malicious software exploited multiple vulnerabilities and used weak credentials to attack Oracle WebLogic, ThinkPHP, WordPress, and Jenkins servers. Web shells, port scanners, and XMRig mining software were dropped onto the infected systems to mine for digital currency and find additional devices to infect. The malware maintained persistence by adding an entry to crontab and adding a public key into the SSH authorized_keys file. \r\n\r\nMcAfee�s ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Akamai Technologies and shared publicly https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-22T21:08:45.000Z","external_analysis":{"links":["https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread"]},"is_coat":0,"created_on":"2021-09-22T21:08:45.000Z"}]},{"id":"55424f67-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"55459d45-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"5548bf24-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"554c1128-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"554f1351-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to
Emails

\"github@eset.com\"

\"cdoman@cadosecurity.com\"\r\n
URLs

https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-22T21:08:45.000Z","external_analysis":{"links":["https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread"]},"is_coat":0,"created_on":"2021-09-22T21:08:45.000Z"}]},{"id":"55424f67-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2021-07-16T21:00:52.000Z","external_analysis":{"links":["https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/","https://www.cadosecurity.com/post/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211","https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211"]},"is_coat":0,"created_on":"2021-07-16T21:00:52.000Z"}]},{"id":"55521ab5-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html","threat_level_id":1,"kb_article_link":null,"coverage":{"dat_version":{"min":4695}},"updated_on":"2022-03-10T22:12:48.000Z","external_analysis":{"links":["https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html","https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html"]},"is_coat":1,"created_on":"2022-01-25T16:59:37.000Z"}]},{"id":"55587287-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://unit42.paloaltonetworks.com/bazarloader-malware/.","threat_level_id":2,"kb_article_link":"https://kc.mcafee.com/corporate/index?page=content&id=KB95149","coverage":{"dat_version":{"min":4458}},"updated_on":"2022-02-21T18:23:50.000Z","external_analysis":{"links":["https://unit42.paloaltonetworks.com/bazarloader-malware/"]},"is_coat":1,"created_on":"2021-05-21T19:46:56.000Z"}]},{"id":"555b74bd-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://unit42.paloaltonetworks.com/bazarloader-malware/.","threat_level_id":2,"kb_article_link":"https://kc.mcafee.com/corporate/index?page=content&id=KB95149","coverage":{"dat_version":{"min":4458}},"updated_on":"2022-02-21T18:23:50.000Z","external_analysis":{"links":["https://unit42.paloaltonetworks.com/bazarloader-malware/"]},"is_coat":1,"created_on":"2021-05-21T19:46:56.000Z"}]},{"id":"556b77d0-82d6-48e3-bc24-e19274b7298a","type":"yara","category":"Payload

https://github.com/Neo23x0/signature-base/blob/master/LICENSE\"\r\n\t\tauthor

https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-23T21:08:39.000Z","external_analysis":{"links":["https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html"]},"is_coat":0,"created_on":"2021-09-23T05:08:48.000Z"}]},{"id":"5572c500-4fb6-4ecf-b438-558cefa2a0f1","type":"yara","category":"Payload

https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2021-07-30T21:00:36.000Z","external_analysis":{"links":["https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/","https://github.com/craiu/iocs/blob/main/lemonduck/hashes.txt","https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/"]},"is_coat":0,"created_on":"2021-07-28T21:00:44.000Z"}]},{"id":"5600d974-8c73-4140-895d-664d35e4d812","type":"vulnerability","category":"External

https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-10-20T21:08:42.000Z","external_analysis":{"links":["https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html#more"]},"is_coat":0,"created_on":"2021-10-20T21:08:42.000Z"}]},{"id":"5619e328-4e9c-4ed5-a95a-d627e0def0eb","type":"command-line","category":"Other","value":"\"CSIDL_SYSTEM\\wscript.exe\"

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2022-03-10T20:06:17.000Z","external_analysis":{"links":["https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"]},"is_coat":0,"created_on":"2022-02-01T06:14:49.000Z"}]},{"id":"56223e89-06ec-40a4-a152-24e10b3bbe8e","type":"command-line","category":"Other","value":"curl

http://45.9.148[.]182/bin/bot/chimera.cc

https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-10-19T21:08:39.000Z","external_analysis":{"links":["https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools","https://securityaffairs.co/wordpress/123535/cyber-crime/teamtnt-docker-attack.html"]},"is_coat":0,"created_on":"2021-10-08T21:08:42.000Z"}]},{"id":"5625cca8-c8ea-4a20-8770-2cd1da012ec9","type":"yara","category":"Payload

https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html\nlogsource:\n

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n

https://blog.talosintelligence.com/2017/05/wannacry.html\n

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\n

https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\n

https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\n

https://github.com/Neo23x0/Raccine#the-process\n

https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar\ntags:\n

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\708_264607501\english_wikipedia.txt

Family

prometheus

Ransom Note
the of and in was is for as on with by he at from his an were are which doc https also or has had first one their its after new who they two her she been other when time during there into school more may years over only year most would world city some where between later three state such then national used made known under many university united while part season team these american than film second born south became states war through being including both before north high however people family early history album area them series against until since district county name work life group music following number company several four called played released career league game government house each based day same won use station club international town located population general college east found age march end september began home public church line june river member system place century band july york january october song august best former british party named held village show local november took service december built another major within along members five single due although small old left final large include building served president received games death february main third set children own order species park law air published road died book men women army often according education central country division english top included development french community among water play side list times near late form original different center power led students german moved court six land council island u.s. record million research art established award street military television given region support western production non political point cup period business title started various election using england role produced become program works field total office class written association radio union level championship director few force created department founded services married though per n't site open act short society version royal present northern worked professional full returned joined story france european currently language social california india days design st. further round australia wrote san project control southern railway board popular continued free battle considered video common position living half playing recorded red post described average records special modern appeared announced areas rock release elected others example term opened similar formed route census current schools originally lake developed race himself forces addition information upon province match event songs result events win eastern track lead teams science human construction minister germany awards available throughout training style body museum australian health seven signed chief eventually appointed sea centre debut tour points media light range character across features families largest indian network less performance players refer europe sold festival usually taken despite designed committee process return official episode institute stage followed performed japanese personal thus arts space low months includes china study middle magazine leading japan groups aircraft featured federal civil rights model coach canadian books remained eight type independent completed capital academy instead kingdom organization countries studies competition sports size above section finished gold involved reported management systems industry directed market fourth movement technology bank ground campaign base lower sent rather added provided coast grand historic valley conference bridge winning approximately films chinese awarded degree russian shows native female replaced municipality square studio medical data african successful mid bay attack previous operations spanish theatre student republic beginning provide ship primary owned writing tournament culture introduced texas related natural parts governor reached ireland units senior decided italian whose higher africa standard income professor placed regional los buildings championships active novel energy generally interest via economic previously stated itself channel below operation leader traditional trade structure limited runs prior regular famous saint navy foreign listed artist catholic airport results parliament collection unit officer goal attended command staff commission lived location plays commercial places foundation significant older medal self scored companies highway activities programs wide musical notable library numerous paris towards individual allowed plant property annual contract whom highest initially required earlier assembly artists rural seat practice defeated ended soviet length spent manager press associated author issues additional characters lord zealand policy engine township noted historical complete financial religious mission contains nine recent represented pennsylvania administration opening secretary lines report executive youth closed theory writer italy angeles appearance feature queen launched legal terms entered issue edition singer greek majority background source anti cultural complex changes recording stadium islands operated particularly basketball month uses port castle mostly names fort selected increased status earth subsequently pacific cover variety certain goals remains upper congress becoming studied irish nature particular loss caused chart dr. forced create era retired material review rate singles referred larger individuals shown provides products speed democratic poland parish olympics cities themselves temple wing genus households serving cost wales stations passed supported view cases forms actor male matches males stars tracks females administrative median effect biography train engineering camp offered chairman houses mainly 19th surface therefore nearly score ancient subject prime seasons claimed experience specific jewish failed overall believed plot troops greater spain consists broadcast heavy increase raised separate campus 1980s appears presented lies composed recently influence fifth nations creek references elections britain double cast meaning earned carried producer latter housing brothers attempt article response border remaining nearby direct ships value workers politician academic label 1970s commander rule fellow residents authority editor transport dutch projects responsible covered territory flight races defense tower emperor albums facilities daily stories assistant managed primarily quality function proposed distribution conditions prize journal code vice newspaper corps highly constructed mayor critical secondary corporation rugby regiment ohio appearances serve allow nation multiple discovered directly scene levels growth elements acquired 1990s officers physical 20th latin host jersey graduated arrived issued literature metal estate vote immediately quickly asian competed extended produce urban 1960s promoted contemporary global formerly appear industrial types opera ministry soldiers commonly mass formation smaller typically drama shortly density senate effects iran polish prominent naval settlement divided basis republican languages distance treatment continue product mile sources footballer format clubs leadership initial offers operating avenue officially columbia grade squadron fleet percent farm leaders agreement likely equipment website mount grew method transferred intended renamed iron asia reserve capacity politics widely activity advanced relations scottish dedicated crew founder episodes lack amount build efforts concept follows ordered leaves positive economy entertainment affairs memorial ability illinois communities color text railroad scientific focus comedy serves exchange environment cars direction organized firm description agency analysis purpose destroyed reception planned revealed infantry architecture growing featuring household candidate removed situated models knowledge solo technical organizations assigned conducted participated largely purchased register gained combined headquarters adopted potential protection scale approach spread independence mountains titled geography applied safety mixed accepted continues captured rail defeat principal recognized lieutenant mentioned semi owner joint liberal actress traffic creation basic notes unique supreme declared simply plants sales massachusetts designated parties jazz compared becomes resources titles concert learning remain teaching versions content alongside revolution sons block premier impact champions districts generation estimated volume image sites account roles sport quarter providing zone yard scoring classes presence performances representatives hosted split taught origin olympic claims critics facility occurred suffered municipal damage defined resulted respectively expanded platform draft opposition expected educational ontario climate reports atlantic surrounding performing reduced ranked allows birth nominated younger newly kong positions theater philadelphia heritage finals disease sixth laws reviews constitution tradition swedish theme fiction rome medicine trains resulting existing deputy environmental labour classical develop fans granted receive alternative begins nuclear fame buried connected identified palace falls letters combat sciences effort villages inspired regions towns conservative chosen animals labor attacks materials yards steel representative orchestra peak entitled officials returning reference northwest imperial convention examples ocean publication painting subsequent frequently religion brigade fully sides acts cemetery relatively oldest suggested succeeded achieved application programme cells votes promotion graduate armed supply flying communist figures literary netherlands korea worldwide citizens 1950s faculty draw stock seats occupied methods unknown articles claim holds authorities audience sweden interview obtained covers settled transfer marked allowing funding challenge southeast unlike crown rise portion transportation sector phase properties edge tropical standards institutions philosophy legislative hills brand fund conflict unable founding refused attempts metres permanent starring applications creating effective aired extensive employed enemy expansion billboard rank battalion multi vehicle fought alliance category perform federation poetry bronze bands entry vehicles bureau maximum billion trees intelligence greatest screen refers commissioned gallery injury confirmed setting treaty adult americans broadcasting supporting pilot mobile writers programming existence squad minnesota copies korean provincial sets defence offices agricultural internal core northeast retirement factory actions prevent communications ending weekly containing functions attempted interior weight bowl recognition incorporated increasing ultimately documentary derived attacked lyrics mexican external churches centuries metropolitan selling opposed personnel mill visited presidential roads pieces norwegian controlled 18th rear influenced wrestling weapons launch composer locations developing circuit specifically studios shared canal wisconsin publishing approved domestic consisted determined comic establishment exhibition southwest fuel electronic cape converted educated melbourne hits wins producing norway slightly occur surname identity represent constituency funds proved links structures athletic birds contest users poet institution display receiving rare contained guns motion piano temperature publications passenger contributed toward cathedral inhabitants architect exist athletics muslim courses abandoned signal successfully disambiguation tennessee dynasty heavily maryland jews representing budget weather missouri introduction faced pair chapel reform height vietnam occurs motor cambridge lands focused sought patients shape invasion chemical importance communication selection regarding homes voivodeship maintained borough failure aged passing agriculture oregon teachers flow philippines trail seventh portuguese resistance reaching negative fashion scheduled downtown universities trained skills scenes views notably typical incident candidates engines decades composition commune chain inc. austria sale values employees chamber regarded winners registered task investment colonial swiss user entirely flag stores closely entrance laid journalist coal equal causes turkish quebec techniques promote junction easily dates kentucky singapore residence violence advance survey humans expressed passes streets distinguished qualified folk establish egypt artillery visual improved actual finishing medium protein switzerland productions operate poverty neighborhood organisation consisting consecutive sections partnership extension reaction factor costs bodies device ethnic racial flat objects chapter improve musicians courts controversy membership merged wars expedition interests arab comics gain describes mining bachelor crisis joining decade 1930s distributed habitat routes arena cycle divisions briefly vocals directors degrees object recordings installed adjacent demand voted causing businesses ruled grounds starred drawn opposite stands formal operates persons counties compete wave israeli ncaa resigned brief greece combination demographics historian contain commonwealth musician collected argued louisiana session cabinet parliamentary electoral loan profit regularly conservation islamic purchase 17th charts residential earliest designs paintings survived moth items goods grey anniversary criticism images discovery observed underground progress additionally participate thousands reduce elementary owners stating iraq resolution capture tank rooms hollywood finance queensland reign maintain iowa landing broad outstanding circle path manufacturing assistance sequence gmina crossing leads universal shaped kings attached medieval ages metro colony affected scholars oklahoma coastal soundtrack painted attend definition meanwhile purposes trophy require marketing popularity cable mathematics mississippi represents scheme appeal distinct factors acid subjects roughly terminal economics senator diocese prix contrast argentina czech wings relief stages duties 16th novels accused whilst equivalent charged measure documents couples request danish defensive guide devices statistics credited tries passengers allied frame puerto peninsula concluded instruments wounded differences associate forests afterwards replace requirements aviation solution offensive ownership inner legislation hungarian contributions actors translated denmark steam depending aspects assumed injured severe admitted determine shore technique arrival measures translation debuted delivered returns rejected separated visitors damaged storage accompanied markets industries losses gulf charter strategy corporate socialist somewhat significantly physics mounted satellite experienced constant relative pattern restored belgium connecticut partners harvard retained networks protected mode artistic parallel collaboration debate involving journey linked salt authors components context occupation requires occasionally policies tamil ottoman revolutionary hungary poem versus gardens amongst audio makeup frequency meters orthodox continuing suggests legislature coalition guitarist eighth classification practices soil tokyo instance limit coverage considerable ranking colleges cavalry centers daughters twin equipped broadway narrow hosts rates domain boundary arranged 12th whereas brazilian forming rating strategic competitions trading covering baltimore commissioner infrastructure origins replacement praised disc collections expression ukraine driven edited austrian solar ensure premiered successor wooden operational hispanic concerns rapid prisoners childhood meets influential tunnel employment tribe qualifying adapted temporary celebrated appearing increasingly depression adults cinema entering laboratory script flows romania accounts fictional pittsburgh achieve monastery franchise formally tools newspapers revival sponsored processes vienna springs missions classified 13th annually branches lakes gender manner advertising normally maintenance adding characteristics integrated decline modified strongly critic victims malaysia arkansas nazi restoration powered monument hundreds depth 15th controversial admiral criticized brick honorary initiative output visiting birmingham progressive existed carbon 1920s credits colour rising hence defeating s
URLs

https

http

Signatures

  • Prometheus Ransomware

    Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.

    ransomwareprometheus
  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 34 IoCs
  • Opens file in notepad (likely ransom note) 5 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 58 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4.pdf"
    1⤵
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0880D8DD15A2217992F11FC1BD39F2F4 --mojo-platform-channel-handle=1608 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        3⤵
          PID:2720
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E29B4D263A25EF8240A244D05A666879 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E29B4D263A25EF8240A244D05A666879 --renderer-client-id=2 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job /prefetch:1
          3⤵
            PID:2732
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BBB4BD5E785EE6CB064012B5ED52C4D9 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            3⤵
              PID:1440
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=79EA89AD0BE93D442245E6C10FA295BE --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              3⤵
                PID:2036
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F5F513C487D237090281A1C5EEA45221 --mojo-platform-channel-handle=2168 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                3⤵
                  PID:196
            • C:\Windows\System32\rundll32.exe
              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              1⤵
                PID:1504
              • C:\Windows\system32\OpenWith.exe
                C:\Windows\system32\OpenWith.exe -Embedding
                1⤵
                • Drops file in Windows directory
                • Modifies registry class
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                PID:4960
                • C:\Windows\system32\NOTEPAD.EXE
                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4.pdf
                  2⤵
                  • Opens file in notepad (likely ransom note)
                  PID:4160
              • C:\Windows\system32\NOTEPAD.EXE
                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\sample.txt
                1⤵
                • Modifies registry class
                • Opens file in notepad (likely ransom note)
                • Suspicious use of SetWindowsHookEx
                PID:3872
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe"
                1⤵
                  PID:4384
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    2⤵
                    • Checks processor information in registry
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    PID:4528
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.0.1649647212\653760035" -parentBuildID 20200403170909 -prefsHandle 1508 -prefMapHandle 1500 -prefsLen 1 -prefMapSize 219609 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 1600 gpu
                      3⤵
                        PID:652
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.3.1759880625\82505900" -childID 1 -isForBrowser -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 122 -prefMapSize 219609 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 2260 tab
                        3⤵
                          PID:512
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.13.251116746\6877299" -childID 2 -isForBrowser -prefsHandle 2952 -prefMapHandle 2168 -prefsLen 989 -prefMapSize 219609 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 2216 tab
                          3⤵
                            PID:4876
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4528.20.1811639624\1820086767" -childID 3 -isForBrowser -prefsHandle 2880 -prefMapHandle 2712 -prefsLen 6986 -prefMapSize 219609 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4528 "\\.\pipe\gecko-crash-server-pipe.4528" 3156 tab
                            3⤵
                              PID:5100
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe"
                          1⤵
                          • Enumerates system info in registry
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:4432
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffa0ec4f50,0x7fffa0ec4f60,0x7fffa0ec4f70
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:600
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1432,15132510748626480425,7950037295553823401,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1616 /prefetch:2
                            2⤵
                              PID:2332
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1432,15132510748626480425,7950037295553823401,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1668 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:956
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1432,15132510748626480425,7950037295553823401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 /prefetch:8
                              2⤵
                                PID:1500
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,15132510748626480425,7950037295553823401,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
                                2⤵
                                  PID:3268
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,15132510748626480425,7950037295553823401,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:1
                                  2⤵
                                    PID:2044
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,15132510748626480425,7950037295553823401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4000 /prefetch:8
                                    2⤵
                                      PID:3884
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                    1⤵
                                    • Enumerates system info in registry
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    PID:4412
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffa0ec4f50,0x7fffa0ec4f60,0x7fffa0ec4f70
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:4032
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1508,16274327117952076572,14971062182570068791,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1524 /prefetch:2
                                      2⤵
                                        PID:4840
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1508,16274327117952076572,14971062182570068791,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1916 /prefetch:8
                                        2⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:4524
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,16274327117952076572,14971062182570068791,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:1
                                        2⤵
                                          PID:4356
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,16274327117952076572,14971062182570068791,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
                                          2⤵
                                            PID:1376
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1508,16274327117952076572,14971062182570068791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 /prefetch:8
                                            2⤵
                                              PID:4256
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,16274327117952076572,14971062182570068791,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
                                              2⤵
                                                PID:5048
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,16274327117952076572,14971062182570068791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3704 /prefetch:8
                                                2⤵
                                                  PID:4620
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                1⤵
                                                • Enumerates system info in registry
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                PID:708
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7fffa0ec4f50,0x7fffa0ec4f60,0x7fffa0ec4f70
                                                  2⤵
                                                    PID:1444
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1908 /prefetch:8
                                                    2⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:5104
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2368 /prefetch:8
                                                    2⤵
                                                      PID:4092
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:1
                                                      2⤵
                                                        PID:2872
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
                                                        2⤵
                                                          PID:1536
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1508 /prefetch:2
                                                          2⤵
                                                            PID:2940
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
                                                            2⤵
                                                              PID:5008
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4344 /prefetch:8
                                                              2⤵
                                                                PID:4652
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4380 /prefetch:8
                                                                2⤵
                                                                  PID:4856
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
                                                                  2⤵
                                                                    PID:5020
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5104 /prefetch:8
                                                                    2⤵
                                                                      PID:2968
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:8
                                                                      2⤵
                                                                        PID:3860
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2888 /prefetch:8
                                                                        2⤵
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:2868
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1272 /prefetch:8
                                                                        2⤵
                                                                          PID:4080
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5348 /prefetch:8
                                                                          2⤵
                                                                            PID:2176
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
                                                                            2⤵
                                                                              PID:4748
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
                                                                              2⤵
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:2500
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1972 /prefetch:8
                                                                              2⤵
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:4512
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3820 /prefetch:8
                                                                              2⤵
                                                                                PID:3868
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4784 /prefetch:8
                                                                                2⤵
                                                                                  PID:4124
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4740 /prefetch:8
                                                                                  2⤵
                                                                                    PID:4240
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=908 /prefetch:1
                                                                                    2⤵
                                                                                      PID:2540
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:8
                                                                                      2⤵
                                                                                        PID:3176
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:8
                                                                                        2⤵
                                                                                          PID:4848
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
                                                                                          2⤵
                                                                                            PID:4156
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:8
                                                                                            2⤵
                                                                                              PID:4604
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5748 /prefetch:8
                                                                                              2⤵
                                                                                                PID:4824
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
                                                                                                2⤵
                                                                                                  PID:1144
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3260 /prefetch:8
                                                                                                  2⤵
                                                                                                    PID:4836
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3592 /prefetch:2
                                                                                                    2⤵
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    PID:1564
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
                                                                                                    2⤵
                                                                                                      PID:1928
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
                                                                                                      2⤵
                                                                                                        PID:4684
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5856 /prefetch:8
                                                                                                        2⤵
                                                                                                          PID:4116
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4700 /prefetch:8
                                                                                                          2⤵
                                                                                                            PID:1176
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5704 /prefetch:8
                                                                                                            2⤵
                                                                                                              PID:4452
                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=6do6y7sgCX4f8qFjZfUP83+cM7GSjzxXS0CD01L+ --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:2272
                                                                                                              • \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe
                                                                                                                "c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=99.279.200 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff796c425a0,0x7ff796c425b0,0x7ff796c425c0
                                                                                                                3⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:3896
                                                                                                              • \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe
                                                                                                                "c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2272_FNSGDOUITAOXDOQT" --sandboxed-process-id=2 --init-done-notifier=704 --sandbox-mojo-pipe-token=12860633025516733839 --mojo-platform-channel-handle=680 --engine=2
                                                                                                                3⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Loads dropped DLL
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:5024
                                                                                                              • \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe
                                                                                                                "c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2272_FNSGDOUITAOXDOQT" --sandboxed-process-id=3 --init-done-notifier=928 --sandbox-mojo-pipe-token=4116085108917020340 --mojo-platform-channel-handle=924
                                                                                                                3⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:3120
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3228 /prefetch:8
                                                                                                              2⤵
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              PID:2264
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5280 /prefetch:8
                                                                                                              2⤵
                                                                                                                PID:4596
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4436 /prefetch:8
                                                                                                                2⤵
                                                                                                                  PID:4472
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4352 /prefetch:8
                                                                                                                  2⤵
                                                                                                                    PID:3856
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:8
                                                                                                                    2⤵
                                                                                                                      PID:4460
                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
                                                                                                                      2⤵
                                                                                                                        PID:5028
                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1588 /prefetch:1
                                                                                                                        2⤵
                                                                                                                          PID:496
                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6072 /prefetch:8
                                                                                                                          2⤵
                                                                                                                            PID:4424
                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5988 /prefetch:8
                                                                                                                            2⤵
                                                                                                                              PID:1632
                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5988 /prefetch:8
                                                                                                                              2⤵
                                                                                                                                PID:4940
                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:8
                                                                                                                                2⤵
                                                                                                                                  PID:4624
                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6124 /prefetch:8
                                                                                                                                  2⤵
                                                                                                                                    PID:4560
                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6040 /prefetch:8
                                                                                                                                    2⤵
                                                                                                                                      PID:216
                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:8
                                                                                                                                      2⤵
                                                                                                                                        PID:1036
                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
                                                                                                                                        2⤵
                                                                                                                                          PID:1752
                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 /prefetch:8
                                                                                                                                          2⤵
                                                                                                                                            PID:2164
                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6048 /prefetch:8
                                                                                                                                            2⤵
                                                                                                                                              PID:4640
                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,15815553939645183214,14158396864184705328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
                                                                                                                                              2⤵
                                                                                                                                                PID:1944
                                                                                                                                            • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\sample.txt
                                                                                                                                              1⤵
                                                                                                                                              • Opens file in notepad (likely ransom note)
                                                                                                                                              PID:1352
                                                                                                                                            • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4.pdf
                                                                                                                                              1⤵
                                                                                                                                              • Opens file in notepad (likely ransom note)
                                                                                                                                              PID:2324
                                                                                                                                            • C:\Windows\system32\NOTEPAD.EXE
                                                                                                                                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\try.txt
                                                                                                                                              1⤵
                                                                                                                                              • Opens file in notepad (likely ransom note)
                                                                                                                                              PID:4228

                                                                                                                                            Network

                                                                                                                                            MITRE ATT&CK Matrix ATT&CK v6

                                                                                                                                            Initial Access

                                                                                                                                            Execution

                                                                                                                                            Persistence

                                                                                                                                            Privilege Escalation

                                                                                                                                            Defense Evasion

                                                                                                                                            Modify Registry

                                                                                                                                            1
                                                                                                                                            T1112

                                                                                                                                            Credential Access

                                                                                                                                            Credentials in Files

                                                                                                                                            1
                                                                                                                                            T1081

                                                                                                                                            Discovery

                                                                                                                                            Query Registry

                                                                                                                                            3
                                                                                                                                            T1012

                                                                                                                                            System Information Discovery

                                                                                                                                            2
                                                                                                                                            T1082

                                                                                                                                            Lateral Movement

                                                                                                                                            Collection

                                                                                                                                            Data from Local System

                                                                                                                                            1
                                                                                                                                            T1005

                                                                                                                                            Exfiltration

                                                                                                                                            Command and Control

                                                                                                                                            Impact

                                                                                                                                            Replay Monitor

                                                                                                                                            Loading Replay Monitor...

                                                                                                                                            Downloads

                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
                                                                                                                                              Filesize

                                                                                                                                              114B

                                                                                                                                              MD5

                                                                                                                                              4382323e49a399df1a86c33dd80dde8a

                                                                                                                                              SHA1

                                                                                                                                              a683c0480c58525bc6112fee226a9a2d17c30e8f

                                                                                                                                              SHA256

                                                                                                                                              7a2d5775cb5ef12ea17ac76adb443d5e089c67812ddf87de9939c68ff34673db

                                                                                                                                              SHA512

                                                                                                                                              eda7338a5585b6350e2a1dc9db8b62cc124249abae4a1fab50e27b91655f094cb7121456780ba3357360edbf07e296b886badac7e354ad6cebfd302ec672dc4d

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
                                                                                                                                              Filesize

                                                                                                                                              212B

                                                                                                                                              MD5

                                                                                                                                              bca06d3d55ac193440e8a870bf81fde6

                                                                                                                                              SHA1

                                                                                                                                              7bd0f7c51528b6201ba4d74d1115ea21d3753cfd

                                                                                                                                              SHA256

                                                                                                                                              a8afd6211eb0ce36bd06b254f6e91e7dc53b34db3de59723d35691cc585464ab

                                                                                                                                              SHA512

                                                                                                                                              5b9af2afbf5dac1a398d8b4cd24b96d1ade890113ee2ed3de7f60b9cdfffb1d17debfad9865ef2a0698ad12b433734b692c0cd4fbd18fc6e8a213b10949c70ce

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\367b1b12-be49-4a1d-9a69-5b64b9f7205c.dmp
                                                                                                                                              Filesize

                                                                                                                                              1.1MB

                                                                                                                                              MD5

                                                                                                                                              8dfa7cf4914876261c9cb50eaaddc26d

                                                                                                                                              SHA1

                                                                                                                                              d939ec354bd962fd87080a2c040df3370cb34aa8

                                                                                                                                              SHA256

                                                                                                                                              76421bf8f112b92a16ea7711693d2bb5b275866a8dbee976faae6178a6c860ba

                                                                                                                                              SHA512

                                                                                                                                              805c8e9a3261e5631ff320b4b8b23ab725a487c73796dd6b5ad10b71b04ce0c969e48919ae31be9787db4eef9eaa3616c52b05634993d3081115ab2f9291c508

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\3b1cdf12-6cf3-4ade-8e64-d61138e281c5.dmp
                                                                                                                                              Filesize

                                                                                                                                              1.1MB

                                                                                                                                              MD5

                                                                                                                                              11fb0a9c20089fc3b2cb938b6254d453

                                                                                                                                              SHA1

                                                                                                                                              6b15d5d56a4d439e3cd6dfc526e747d6018f9863

                                                                                                                                              SHA256

                                                                                                                                              afe45209ecf16f7d4d00c90349d82794d9e23265cd6d2f91491bb7a8adc96c0a

                                                                                                                                              SHA512

                                                                                                                                              03efb612d47f2cb5f05abd034aecf56b37fde5367e6f257003f85a4a4859768b0f722765de290fff3c540ceb4e8dea291ad05e7dd5008602f0c26d5df8e38e7f

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
                                                                                                                                              Filesize

                                                                                                                                              40B

                                                                                                                                              MD5

                                                                                                                                              95ed7f7737fe8914d7d6aab15b04cda8

                                                                                                                                              SHA1

                                                                                                                                              3b23a923f9c3c0bf7df0199a415bda065676021d

                                                                                                                                              SHA256

                                                                                                                                              834f215f4568d53260e783c7aeecf3b08c6d72a976c46c85c7c33427f5dab4b6

                                                                                                                                              SHA512

                                                                                                                                              5157f84442aee11509f6ac678db815430fc0c2a5012890d5dc3e18b16c7008a6a8e9dddb27df494995258467707233504f4e54298f3a23ce8872e6d7c2992ca1

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
                                                                                                                                              Filesize

                                                                                                                                              40B

                                                                                                                                              MD5

                                                                                                                                              95ed7f7737fe8914d7d6aab15b04cda8

                                                                                                                                              SHA1

                                                                                                                                              3b23a923f9c3c0bf7df0199a415bda065676021d

                                                                                                                                              SHA256

                                                                                                                                              834f215f4568d53260e783c7aeecf3b08c6d72a976c46c85c7c33427f5dab4b6

                                                                                                                                              SHA512

                                                                                                                                              5157f84442aee11509f6ac678db815430fc0c2a5012890d5dc3e18b16c7008a6a8e9dddb27df494995258467707233504f4e54298f3a23ce8872e6d7c2992ca1

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0
                                                                                                                                              Filesize

                                                                                                                                              44KB

                                                                                                                                              MD5

                                                                                                                                              b0d444f6d3707f94bceb4cb872074b69

                                                                                                                                              SHA1

                                                                                                                                              4ed827dcd19c6bc25789e46a86d271c5b90662f3

                                                                                                                                              SHA256

                                                                                                                                              2d467ea7f172d2c81d5f260fbea7fc048069737ae69263ada224f606e728facc

                                                                                                                                              SHA512

                                                                                                                                              5bca63a9b535f5cb301289aad7214eb4e71769cf1093629e63e5f92b317fcdcdbc7c1ae6c3277118da538b9c5a3e5ea7a7eb1f760d3aeb70037ae64a4aa986c9

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1
                                                                                                                                              Filesize

                                                                                                                                              264KB

                                                                                                                                              MD5

                                                                                                                                              2072bb58807c0ba30eb1e58c5f31f92b

                                                                                                                                              SHA1

                                                                                                                                              8d3b3e25f7e4fc64c26889b1604829eb88758308

                                                                                                                                              SHA256

                                                                                                                                              0d1ee5bfb9e068f5e6632882407757d978b7d165bf82792fefee8251ac1ecd32

                                                                                                                                              SHA512

                                                                                                                                              3d6b851a36fda21844c195d97700dcffaaf210a8d851fffa486b7722290137a4aeac94ad097d51f2bb97452ed6eb6dab3440d74f98748d77ae9154ec2d826292

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3
                                                                                                                                              Filesize

                                                                                                                                              4.0MB

                                                                                                                                              MD5

                                                                                                                                              6b782c24f0d9b4662af816ed5c4041bf

                                                                                                                                              SHA1

                                                                                                                                              bb51739ca7d9d56d34f5826e98857ce144c3be10

                                                                                                                                              SHA256

                                                                                                                                              bb7990748b25c8dd473f41473bb81e575c4db1c27436bfbd427989ce50f62603

                                                                                                                                              SHA512

                                                                                                                                              26780330339d2567cf62d0d7c950fb5f0c815433506608554c5365d71622ae031ced37f4f882d6af39a77bcca228aca34b00ee46d409654e46e4c64137290e33

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001
                                                                                                                                              Filesize

                                                                                                                                              103KB

                                                                                                                                              MD5

                                                                                                                                              9542e5135791e506bf917f6b72f7ed2e

                                                                                                                                              SHA1

                                                                                                                                              ea14be1cc424a03691d64aadd578477e40a06d27

                                                                                                                                              SHA256

                                                                                                                                              4e20cde0981130378f932dbd68e84bc400a97f59c212d5dddcae26344c8fff20

                                                                                                                                              SHA512

                                                                                                                                              69cfc0d85d2be56748b6669b48db5bd20b95a590a7e4681a267ca230f723b39689f3505592b7dc15730ed848c2779457fefd51fed325b15934577d9ab83d150a

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
                                                                                                                                              Filesize

                                                                                                                                              329B

                                                                                                                                              MD5

                                                                                                                                              2faa8fe7ba6173d0decd86b927e7bb44

                                                                                                                                              SHA1

                                                                                                                                              05d9dcbf961a58bda33dc929e1adf3a6b7251c32

                                                                                                                                              SHA256

                                                                                                                                              5ceb6a1a3ef657bb8ebff2ce0819a5979864eb9edf88c50d5edd8ec95310ca0c

                                                                                                                                              SHA512

                                                                                                                                              44940d16a5175d3e80061974125acdf9321458c4aee3f6b820a9c31c8adc6afa67729048dcc0501c5cabc274ce546b009dde1fdfece4fdad3323a5ea8e3cea79

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                                                                                                                                              Filesize

                                                                                                                                              40KB

                                                                                                                                              MD5

                                                                                                                                              b608d407fc15adea97c26936bc6f03f6

                                                                                                                                              SHA1

                                                                                                                                              953e7420801c76393902c0d6bb56148947e41571

                                                                                                                                              SHA256

                                                                                                                                              b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

                                                                                                                                              SHA512

                                                                                                                                              cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG
                                                                                                                                              Filesize

                                                                                                                                              334B

                                                                                                                                              MD5

                                                                                                                                              dbb5886ae923da298ae9565c52eec95a

                                                                                                                                              SHA1

                                                                                                                                              c75fb8ea383c8fbf95c3c522218236e62c0ea1c4

                                                                                                                                              SHA256

                                                                                                                                              638539820858f0318eb042b14f7de984026823cf88e232ffac654a7747f302f5

                                                                                                                                              SHA512

                                                                                                                                              170af048aa6433d3660e635881a3ffe9a2c0d03707ed892af56dcddcb695f3edcdc65482bd92ff8c4943bedacb6516123c9680491abc1414bec7a9796b3a9cfa

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                              Filesize

                                                                                                                                              5KB

                                                                                                                                              MD5

                                                                                                                                              8a2b85f75a1fe9383fca21d8c0a877a2

                                                                                                                                              SHA1

                                                                                                                                              458d9fdec979d2a3c8b9f99a33027f747f6aee9f

                                                                                                                                              SHA256

                                                                                                                                              1fd2c857e2646b6d236d66f2fc24fc8ee2c24da3ff52c828f0d74bafbb6b5393

                                                                                                                                              SHA512

                                                                                                                                              7f224beb284b33b03a3c4409a45273999dfe12dc1987954c1ef5d1a2a2a0357d3e21e745439d4a15891821c98c4cbcb4ea42cfbb8fa362381a57f6bdb140ba42

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                              Filesize

                                                                                                                                              5KB

                                                                                                                                              MD5

                                                                                                                                              62b1d2e3db7fb64256398bc5c7666155

                                                                                                                                              SHA1

                                                                                                                                              b6cfd9311bbdc82c62c7843a0a137000dab3f8f3

                                                                                                                                              SHA256

                                                                                                                                              608d9c840a60e4f2f4adb244da9744a704ea0d1d60224148af7327f6767e1760

                                                                                                                                              SHA512

                                                                                                                                              e269f62e5800a0c38139f346998d2ba3bf8f822794dc85e23f3ffb9005742927012b7563c41a5be07da0dcfae19075e52151305bcf0c08df70d102fe525e5c58

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13292247052774032
                                                                                                                                              Filesize

                                                                                                                                              363B

                                                                                                                                              MD5

                                                                                                                                              53ff6a0b4bee8468b9acc994b5d136e1

                                                                                                                                              SHA1

                                                                                                                                              a3bc126b51d6f513b7935e8ca0d4a039bf6c5ea0

                                                                                                                                              SHA256

                                                                                                                                              a217df08051d0cbe4569fc70efd1ccf650fd0dd3c70da0443de19fe91bf6f87e

                                                                                                                                              SHA512

                                                                                                                                              6b3958c676606ce6115d0e21362227894daf0ac7685cd3dacd03186be257354cadb63c280e6346e4150ebb78a70c29a1939baa1afaff985906ac91fd61eb1c28

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13292247086793230
                                                                                                                                              Filesize

                                                                                                                                              1KB

                                                                                                                                              MD5

                                                                                                                                              a476c99b207cd9a7231a81ba4f1f69db

                                                                                                                                              SHA1

                                                                                                                                              7160b4d55740135e65fadc99094e9d3451c16a25

                                                                                                                                              SHA256

                                                                                                                                              93aa8debf6d1240554c740fda4b2c7e0b8e69bffe90118076b94a5663ff00fb9

                                                                                                                                              SHA512

                                                                                                                                              266155638a164ffa64102e011292c156850aeca8dafcf0f00ea11a8c1a17b905e47822fd093b3033f58a115ab9643e477eb2e78b5d00b7a40a680ca9046a0f89

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13292247054363032
                                                                                                                                              Filesize

                                                                                                                                              669B

                                                                                                                                              MD5

                                                                                                                                              2a6a31844ab7f5c3760e8bf98aca4eb2

                                                                                                                                              SHA1

                                                                                                                                              b7b3ca18fe75e6f5a342c59eda60a8dc89f299c0

                                                                                                                                              SHA256

                                                                                                                                              5e589a41623f7e4a2cbb211d3579a67f79b4bdb3a93252702bee28b1e178cbb5

                                                                                                                                              SHA512

                                                                                                                                              10fad5c1683cbb3173ab88fa30085e84785002ace08f3244d8ce25de87b3bacbb4638f709138bdd2ea51aae8fe77127507367cab5f325db32437a63f5f5ed63e

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13292247087443230
                                                                                                                                              Filesize

                                                                                                                                              669B

                                                                                                                                              MD5

                                                                                                                                              2a6a31844ab7f5c3760e8bf98aca4eb2

                                                                                                                                              SHA1

                                                                                                                                              b7b3ca18fe75e6f5a342c59eda60a8dc89f299c0

                                                                                                                                              SHA256

                                                                                                                                              5e589a41623f7e4a2cbb211d3579a67f79b4bdb3a93252702bee28b1e178cbb5

                                                                                                                                              SHA512

                                                                                                                                              10fad5c1683cbb3173ab88fa30085e84785002ace08f3244d8ce25de87b3bacbb4638f709138bdd2ea51aae8fe77127507367cab5f325db32437a63f5f5ed63e

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
                                                                                                                                              Filesize

                                                                                                                                              348B

                                                                                                                                              MD5

                                                                                                                                              e1c8bc8cc6b9250d03fed9572da698c2

                                                                                                                                              SHA1

                                                                                                                                              9af5cb85cf2206b45d25097549f5eb52159118c7

                                                                                                                                              SHA256

                                                                                                                                              ac489987d8c11311bec5f79f6019124fd220feea3d52302e49165d7858a8228b

                                                                                                                                              SHA512

                                                                                                                                              fdfd4fbeabc3fe39635b3aad2b9cdf46d8b090096aa3da5bf1f2cc55990b2a4f60220b2679f459f58cbcdc40efcb325ed9494ea7e0237c313bd12f3b86090630

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
                                                                                                                                              Filesize

                                                                                                                                              348B

                                                                                                                                              MD5

                                                                                                                                              017fea37a23b7d44d6e50232b8de95ac

                                                                                                                                              SHA1

                                                                                                                                              9de88bd9223e9bf8846234ca3e262147d26aabcb

                                                                                                                                              SHA256

                                                                                                                                              5a79b40fb730381330913aaedd33912ab1a800a40abec8f953cea730218a16cd

                                                                                                                                              SHA512

                                                                                                                                              439d6ed1615cf785402efa73b398e1155cc56f0daa56fb50e77dc71630b5abac59a5cf0afc3f9d03d4bcbec3457d1b0154652240eea92a128c10b64ff935a1fc

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
                                                                                                                                              Filesize

                                                                                                                                              160B

                                                                                                                                              MD5

                                                                                                                                              de92ad90be6d3364745b2f73f4c3cf73

                                                                                                                                              SHA1

                                                                                                                                              9158681463bd30e5af4dda4baac81f93cedbda77

                                                                                                                                              SHA256

                                                                                                                                              0025a3e0d3b834401b3b5f820e1991ef7e810d9a4b8b6b579e6301c94e7031a0

                                                                                                                                              SHA512

                                                                                                                                              9e81cefc195439439f4b23ee7696309d7bc3c08e5b444d2abde26d2f12b2d3bcfd124fb9a2d40c6389e9f787741676fad366a2e9982674e7b931028c014d8a79

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
                                                                                                                                              Filesize

                                                                                                                                              198B

                                                                                                                                              MD5

                                                                                                                                              1f7f208858a1f652fa7ae45c3c7510c9

                                                                                                                                              SHA1

                                                                                                                                              e3b7e0fb73ee579b9e8b6e29f9d9ccd783050a5d

                                                                                                                                              SHA256

                                                                                                                                              81b396566964f665632a83714ff09afe24c96e8e5401a588b943d721669de6f4

                                                                                                                                              SHA512

                                                                                                                                              cfb0ea1566cd946f39159f01dcecccd98ff4dcc10cd30f85e9bb86af8661acf8b9ad0e6c3e915fdac93959c64158723673eb877ecfec078c1c82a2e11066ba01

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
                                                                                                                                              Filesize

                                                                                                                                              321B

                                                                                                                                              MD5

                                                                                                                                              22a03f1ec117a8a6c498b9f667555ac3

                                                                                                                                              SHA1

                                                                                                                                              a63e7260b764b07934b832328bc8e9bcf75fd10d

                                                                                                                                              SHA256

                                                                                                                                              33fdd67870b7604893fe15072d83311992e3777eb9f7bcfe84eb8ad52df76dfb

                                                                                                                                              SHA512

                                                                                                                                              2fc2c951d33ef9266e978e804ce3a40ff40a7e68c5039a904bdccf601c5b56e2846d3b328dc2637297f0b856ed5e9234ef47e2bce70fce7120143083e9b703fd

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
                                                                                                                                              Filesize

                                                                                                                                              324B

                                                                                                                                              MD5

                                                                                                                                              6df68aea12aa3aafd9fd249d2a8cf878

                                                                                                                                              SHA1

                                                                                                                                              be257498b5861757ae6bcff8fbfde9db0bef0cad

                                                                                                                                              SHA256

                                                                                                                                              50850f8661f59be5ea9a25f714be845514d9e6a1c79c4847ed291a4e188862e5

                                                                                                                                              SHA512

                                                                                                                                              7121a8afdb240013c9ced2447b135c5ef2159d0453d6116f23bf18eef9b26003c2b428e1f81565c7ba693e61cf0ebc9e55b70c4e4a66d8f455e041560cadf709

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
                                                                                                                                              Filesize

                                                                                                                                              370B

                                                                                                                                              MD5

                                                                                                                                              2bc6e79f42933c3608557c5a0ef8b5f2

                                                                                                                                              SHA1

                                                                                                                                              81f676ffb7597b25a1cc95c9d5196ebf4f2f5796

                                                                                                                                              SHA256

                                                                                                                                              ffe34587cd5d790cf0dd4435ac8a8a10d5c5d0365062b7a6f7f86efba5c9a350

                                                                                                                                              SHA512

                                                                                                                                              8d40e682b7751e8f9e294e241e8db20fb3540a0d47941634b5c4df1100a56eb09994d5c8a8f519393b7b104db38f68ce5b321038db6da5fb86e85cfa108decc2

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Trust Tokens
                                                                                                                                              Filesize

                                                                                                                                              28KB

                                                                                                                                              MD5

                                                                                                                                              43f06b0ad880f55e7a1c011072e643b3

                                                                                                                                              SHA1

                                                                                                                                              12f8734a47346647f92ff769c91a7ec5c63ee648

                                                                                                                                              SHA256

                                                                                                                                              ec9199fbe747bf8c1a20865bd553017277777a6035497c92b17cb758ce2aee0f

                                                                                                                                              SHA512

                                                                                                                                              91b020d508f814bc80add0d0423cc98010c5cb696e744e09219748db4d2b6f4a8f701b619e9832fdedf91e5d7dbbc2cd78cb75c57f9c5a06707b1dc47ceaf987

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
                                                                                                                                              Filesize

                                                                                                                                              13B

                                                                                                                                              MD5

                                                                                                                                              b63048c4e7e52c52053d25da30d9c5ab

                                                                                                                                              SHA1

                                                                                                                                              679a44d402f5ec24605719e06459f5a707989187

                                                                                                                                              SHA256

                                                                                                                                              389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1

                                                                                                                                              SHA512

                                                                                                                                              e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
                                                                                                                                              Filesize

                                                                                                                                              13B

                                                                                                                                              MD5

                                                                                                                                              b63048c4e7e52c52053d25da30d9c5ab

                                                                                                                                              SHA1

                                                                                                                                              679a44d402f5ec24605719e06459f5a707989187

                                                                                                                                              SHA256

                                                                                                                                              389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1

                                                                                                                                              SHA512

                                                                                                                                              e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

                                                                                                                                              Download Submit
                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                                                                                              Filesize

                                                                                                                                              135KB

                                                                                                                                              MD5

                                                                                                                                              c98dbe476a98365326def66525b67a3e

                                                                                                                                              SHA1

                                                                                                                                              335c520d70f60c4fc4825c94fa145b69939b77a9

                                                                                                                                              SHA256

                                                                                                                                              e07f5f217c1a983bbcc4649d4f041d850f701e3c95dec9687e962de5605a0701

                                                                                                                                              SHA512

                                                                                                                                              94c5a77cf99099d611a903234df0233035426746b53ef5956440a63d8f22128a9408c62ba3f3034e151a7f35aece88768e7ea3303eb56ac0cc11aaa16db8c15a

                                                                                                                                              Download Submit
                                                                                                                                            • \??\pipe\crashpad_4412_QRXOCRVGVZTXIELS
                                                                                                                                              MD5

                                                                                                                                              d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                              SHA1

                                                                                                                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                              SHA256

                                                                                                                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                              SHA512

                                                                                                                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                              Download Submit
                                                                                                                                            • \??\pipe\crashpad_4432_GCUFMNCXSYCHTBWO
                                                                                                                                              MD5

                                                                                                                                              d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                              SHA1

                                                                                                                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                              SHA256

                                                                                                                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                              SHA512

                                                                                                                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                              Download Submit
                                                                                                                                            • \??\pipe\crashpad_708_RBJWJNUEOUIKPSVI
                                                                                                                                              MD5

                                                                                                                                              d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                              SHA1

                                                                                                                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                              SHA256

                                                                                                                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                              SHA512

                                                                                                                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                              Download Submit
                                                                                                                                            • memory/196-132-0x0000000077942000-0x0000000077943000-memory.dmp
                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download
                                                                                                                                            • memory/1440-126-0x0000000077942000-0x0000000077943000-memory.dmp
                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download
                                                                                                                                            • memory/2036-129-0x0000000077942000-0x0000000077943000-memory.dmp
                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download
                                                                                                                                            • memory/2720-118-0x0000000077942000-0x0000000077943000-memory.dmp
                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download
                                                                                                                                            • memory/2732-121-0x0000000077942000-0x0000000077943000-memory.dmp
                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download
                                                                                                                                            • memory/5024-176-0x00007FFFBE480000-0x00007FFFBE481000-memory.dmp
                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download
                                                                                                                                            • memory/5024-175-0x00007FFFBD9B0000-0x00007FFFBD9B1000-memory.dmp
                                                                                                                                              Filesize

                                                                                                                                              4KB

                                                                                                                                              Download
                                                                                                                                            • memory/5024-182-0x000002DE4FEE0000-0x000002DE4FF20000-memory.dmp
                                                                                                                                              Filesize

                                                                                                                                              256KB

                                                                                                                                              Download