sodinokibi | bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9

Analysis

max time kernel
1746s
max time network
1861s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-01-2023 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
Size

542KB
MD5

61c19e7ce627da9b5004371f867a47d3
SHA1

4f3b4329871ec269043068a98e9cc929f603268d
SHA256

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9
SHA512

dd919e1dace4e1f246552bbb1b55cd13f38bdac8764afb67624d4331341dff1c3cd75616da26d9deb4e05c04163b78a5ff8b9ffec2f73b2c9b82d5a41e216244
SSDEEP

6144:YONNYdX7HkqEHcTY6uoZzFyKAuGnlOOkl8tuGogbOIVmda9J4:YONNoX7HMHcTY6uoZzFyfONlwNB2

Score

10^/10

sodinokibi 5 367 ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\c834v-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion c834v. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8728C5559ADFCF27 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/8728C5559ADFCF27 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 8Bmm1AAU5y3RysuoI4LUP8sy95IP5voolSmBvTFstDjdDvonsGQfa9QRd3YNHlM5 D/gzsWfvbI20r4zaNecnK2jOCVmuTGrDhCgtL6912GyZdcckULTLZ6vNp3nbkDLo aFbsQzmec7YWiSCfVC6sltaJYZvLL8L8235XQOvH2GCAvV4q+OEnEQH0E7Z++DBn uDGQycXW9o9gGmPPPc85GauRmZTAjJar7vQ0lw2v/wne6v2gTukJ9WWzUI/Ge7xC zkBFkuNfsCPcaPqrof3U8Czhuvi9Wf9Yuu1mcLiMdLSV+8nQ1SiIIJgbK04Orhgy RcuH72s8gusqvNSlRNSb0wAboXn8HO0hP+ydQsk1bAiTu8YI9dQlpAbnlDlGNiYH 2yOaZtMyo2gAE8uF9vT6knR+wZVw1PcNYyxwO/39Zf5GgJy9Ngxd68juSX6CZFUk 9+F7H3cvsBbxXSDfbLM2IEWuPD8fhhnKbF7kELM1krWeIz0sdQTR9uF3Fk0OoATA 42QRmCzgrIc9HcWXL2Vy7H9XIWjKMT0igxwvQ8x47znYgLsCgMMbwA1NjotvxulV lIQWo2EeSWJx+nxiirPpjqPIQckXQAx2GHQ/KQ8vLqyhYpT7xNVACBFp5FgDMpS4 ZD2F2wJB9fRkYFiOHR7avCXtUBMdKdEjP+QrHlFNqlWxSoc2hO+DtrnsAsvdvjkf VSlJoGXQXn1ve1SVmTBWMfhb5amgIwcPSQ3fohYTZ5BRn2O5akiaJVdiadwVDxa1 fzBuNYuqpENpuPAHJ2X5ZO5crpIVGAkCFyhkuJ9Hf+QQRZUnCwh69qt60tNEbPzw 5nrvTdNNVgK6Gj/1Pxgv7/8JsD0ul6OZZRjrd+FGA8ZJzvFpEFoF1in0dcmbKSZL oDcF3+IEwRSx6yYoabKouZjBZOqqMkcQdi59aIULdaLMu6KNXoVAsaokoW22TPcJ wD/V7ZkhxTt3CMTQ22WcPF+uBZtllBTcLsfmFh7MTm4PTqmAxvUvPhwtHZB8riR+ u9g0pLz3N3rCp+K1v7sxiOsjtruoNdDtACsvmY5upE4NxKhKO06mqKBZCYE9J9kz VemLbcfh2S7NTVdTmE1H6yOTYhMqIjJeKie8TLJbMhFLmABU0opFw2Z7INe1Qw== Extension name: c834v ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8728C5559ADFCF27

http://decryptor.top/8728C5559ADFCF27

Extracted

Family

sodinokibi

Botnet

Campaign

367

Decoy

craftingalegacy.com

g2mediainc.com

brinkdoepke.eu

vipcarrental.ae

autoteamlast.de

hostastay.com

gavelmasters.com

ronaldhendriks.nl

successcolony.com.ng

medicalsupportco.com

kompresory-opravy.com

sveneulberg.de

oththukaruva.com

voetbalhoogeveen.nl

selected-minds.de

log-barn.co.uk

fsbforsale.com

jobkiwi.com.ng

ivancacu.com

11.in.ua

Attributes

net
true
pid
5
prc
wordpad.exe
outlook.exe
tbirdconfig.exe
agntsvc.exe
thebat.exe
mydesktopservice.exe
sqbcoreservice.exe
thunderbird.exe
ocomm.exe
excel.exe
thebat64.exe
steam.exe
xfssvccon.exe
firefoxconfig.exe
sqlagent.exe
ocssd.exe
mydesktopqos.exe
msaccess.exe
isqlplussvc.exe
mspub.exe
winword.exe
sqlbrowser.exe
dbeng50.exe
sqlservr.exe
oracle.exe
encsvc.exe
powerpnt.exe
dbsnmp.exe
infopath.exe
ocautoupds.exe
mysqld_opt.exe
visio.exe
msftesql.exe
mysqld_nt.exe
synctime.exe
sqlwriter.exe
mysqld.exe
onenote.exe
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
367

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\InvokeStart.tif => \??\c:\users\admin\pictures\InvokeStart.tif.c834v	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File renamed	C:\Users\Admin\Pictures\MeasureUnlock.tif => \??\c:\users\admin\pictures\MeasureUnlock.tif.c834v	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File renamed	C:\Users\Admin\Pictures\SuspendTest.crw => \??\c:\users\admin\pictures\SuspendTest.crw.c834v	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File renamed	C:\Users\Admin\Pictures\TraceSearch.tif => \??\c:\users\admin\pictures\TraceSearch.tif.c834v	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File renamed	C:\Users\Admin\Pictures\UndoUnlock.tif => \??\c:\users\admin\pictures\UndoUnlock.tif.c834v	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File renamed	C:\Users\Admin\Pictures\EnterSwitch.tiff => \??\c:\users\admin\pictures\EnterSwitch.tiff.c834v	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\users\admin\pictures\EnterSwitch.tiff	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File renamed	C:\Users\Admin\Pictures\DisableCompress.tiff => \??\c:\users\admin\pictures\DisableCompress.tiff.c834v	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File renamed	C:\Users\Admin\Pictures\LockSelect.tif => \??\c:\users\admin\pictures\LockSelect.tif.c834v	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\users\admin\pictures\DisableCompress.tiff	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/976-113-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

description	ioc	process
File opened (read-only)	\??\J:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\X:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\Z:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\L:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\M:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\O:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\S:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\T:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\B:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\G:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\I:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\Y:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\K:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\R:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\V:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\W:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\D:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\A:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\E:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\F:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\Q:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\U:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\H:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\N:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened (read-only)	\??\P:	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2dgv4ov28d.bmp"	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

Drops file in Program Files directory 42 IoCs

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

description	ioc	process
File opened for modification	\??\c:\program files\MountExit.3gp2	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\NewSearch.avi	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\RequestBlock.wax	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\RevokeUnregister.raw	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\StartRead.tif	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\UnlockRequest.scf	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\EditExport.vstm	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\ExpandWait.wmv	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\UseLimit.vsx	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\c834v-readme.txt	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\UnregisterConfirm.temp	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\UpdateUnprotect.M2TS	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\c834v-readme.txt	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\FindUninstall.avi	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\UnblockSkip.tif	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\GetStart.odt	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\ReadRevoke.jpeg	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\SaveRegister.cr2	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\SelectClose.mht	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\SuspendSelect.snd	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\DenyOut.csv	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\ExitUndo.otf	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\RestoreHide.3gp	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\ResumeImport.jfif	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\UndoMount.mpeg	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File created	\??\c:\program files\d60dff40.lock	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\RestartCompress.ppsx	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\MountReceive.DVR	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\c834v-readme.txt	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\ConnectRepair.TTS	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\LimitFormat.asf	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\SwitchBlock.mpe	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\WaitRemove.nfo	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\d60dff40.lock	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\d60dff40.lock	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File created	\??\c:\program files (x86)\d60dff40.lock	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\LimitSplit.snd	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\ResumePublish.au	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File created	\??\c:\program files (x86)\c834v-readme.txt	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	\??\c:\program files\ApproveRevoke.jpg	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File created	\??\c:\program files\c834v-readme.txt	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\d60dff40.lock	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

Drops file in Windows directory 64 IoCs

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4f8620c6384385cb.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-credui_31bf3856ad364e35_6.1.7601.17514_none_dd3eb6aced2f8d13_credui.dll_c0e5bbea	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7_dnscacheugc.exe_aa32623e	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1257_31bf3856ad364e35_6.1.7600.16385_none_8048648522902070.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d16a6a0766330383_compstui.dll.mui_0724407b	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_6.1.7600.16385_none_ceb39c895289e648.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_sk-sk_6e551558ba413320.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-segoeui_31bf3856ad364e35_6.1.7600.16385_none_2cb0f5602bedb50f_segoeui.ttf_b39275ad	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18633fbb02ac1dfc.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mpr_31bf3856ad364e35_6.1.7600.16385_none_09cabb1971a25848.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..-msctfime.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a46dee1b77727355.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.1.7601.17514_none_bfab9b4ba5f934f9_netiomig.dll_917b9a36	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.1.7601.17514_none_10145eccb79418a5_samsrv.dll_b7a400ca	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cd82ef8cc53045c3_mswsock.dll.mui_d7c2a730	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_85775.fon_f144fe91	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-htmlhelp-infotech_31bf3856ad364e35_6.1.7601.17514_none_f8ab56ff71fc562a_itss.dll_f5d929eb	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_c04bc94bbf0132ec_hh.exe.mui_2744e397	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-932_31bf3856ad364e35_6.1.7600.16385_none_ceb194d2fc8f5269.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6e0c114cf82ecf59_expand.exe.mui_3f54e013	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1b97e2a0cf19a74b_hh.exe.mui_2744e397	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_es-es_80f1f0a40b5d6999.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.17514_none_c1518e03472df852.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga863.fon_0805d564	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3ba587a377f9964c.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_6.1.7600.16385_none_27a7f7694b388c01.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ar-sa_585df4a7092d7807_comdlg32.dll.mui_ac8e62f4	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5443e0d485ba2199_shdocvw.dll.mui_9b8f26d5	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-winsock-legacy_31bf3856ad364e35_6.1.7600.16385_none_e33b8ccc72da5441.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c9e31697c5d34471_psbase.dll.mui_c28690ab	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fae917b2ebbd936e_netiougc.exe.mui_ad7a9e4d	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-869_31bf3856ad364e35_6.1.7600.16385_none_cebec624fc8535e4.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_el-gr_a4ed4d1775975006_msimsg.dll.mui_72e8994f	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-oleacc_31bf3856ad364e35_6.1.7600.16385_none_c679af753c14c22a_oleacchooks.dll_f9282ebb	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6533d86c111df368_userprofilewmiprovider.mfl_b1cb99f9	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rmcast_31bf3856ad364e35_6.1.7601.17514_none_b2a3d1a09e8a89b1_netpgm.inf_76514a00	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7601.17514_it-it_4dfed4407fd71215.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_85be50917459a218_mlang.dll.mui_2904864a	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4aab526590e1172b_scarddlg.dll.mui_300ae9df	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9162dff52c1fa7f0_mdminst.dll.mui_19a87063	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_34be759892c77101_dwmcore.dll.mui_ebf60d96	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018_perfd.dat_f1e3dfd2	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e202f15f2ca6a82a_mlang.dll.mui_2904864a	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c7e524572c62fe1c.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7497a71c57e547ec.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_sr-..-cs_cff3ee56469ed719.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e0ac3a3491076c7a_dhcpcsvc.dll.mui_186571e1	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-webio.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_002271384242c2c1_webio.dll.mui_e805c4b7	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6674b4d9f148cbe1_objsel.dll.mui_9b915792	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_29d825a7cbfe7e81_puiapi.dll.mui_e94aeb19	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3c7595cb45aa004f.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bdbcaf727d38d49f.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5db7df5b307ffadc.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_it-it_dc658d0c024781ab_sccls.dll.mui_f104be47	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_30bc7fe1e159c5d3_mofcomp.exe.mui_35badf56	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_it-it_723982cb6f42a366.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-win32k_31bf3856ad364e35_6.1.7600.16385_none_1f3d15b3e8989262.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9b7c76e94cbb839f_winbio.dll.mui_7a8d17bd	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_cs-cz_a9a74ccae735a589_comdlg32.dll.mui_ac8e62f4	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_181a1bc5e35bb95e_gpsvc.dll.mui_0c160ac2	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_cga40woa.fon_3e9e1495	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-gautami_31bf3856ad364e35_6.1.7600.16385_none_d7a960cbb5ebb166.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_cs-cz_a9a74ccae735a589.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8fd9b5d6f86267fc.manifest	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce_microsoft-windows-networkbridge-ppdlic.xrm-ms_1a466ea5	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1208 vssadmin.exe

pid	process
1208	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exetaskmgr.exe

pid	process
1864	bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
1540	chrome.exe
1412	chrome.exe
1412	chrome.exe
2560	chrome.exe
2396	chrome.exe
2396	chrome.exe
456	chrome.exe
1664	chrome.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe
2700	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2700 taskmgr.exe

pid	process
2700	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

AUDIODG.EXEtaskmgr.exevssvc.exe

description	pid	process
Token: 33	1680	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1680	AUDIODG.EXE
Token: 33	1680	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1680	AUDIODG.EXE
Token: SeDebugPrivilege	2700	taskmgr.exe
Token: SeSecurityPrivilege	2700	taskmgr.exe
Token: SeTakeOwnershipPrivilege	2700	taskmgr.exe
Token: SeBackupPrivilege	2624	vssvc.exe
Token: SeRestorePrivilege	2624	vssvc.exe
Token: SeAuditPrivilege	2624	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exechrome.exe

pid	process
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exechrome.exe

pid	process
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1412 wrote to memory of 956	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 956	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 956	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 976	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1540	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1540	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1540	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 1548	1412	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
"C:\Users\Admin\AppData\Local\Temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:984

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef67f4f50,0x7fef67f4f60,0x7fef67f4f70
2⤵
PID:956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1108,11739784974176592759,8778600465924517839,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2
2⤵
PID:976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1108,11739784974176592759,8778600465924517839,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1340 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1108,11739784974176592759,8778600465924517839,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1660 /prefetch:8
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,11739784974176592759,8778600465924517839,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1
2⤵
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,11739784974176592759,8778600465924517839,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2160 /prefetch:1
2⤵
PID:2020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,11739784974176592759,8778600465924517839,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3080 /prefetch:8
2⤵
PID:680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1108,11739784974176592759,8778600465924517839,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3328 /prefetch:2
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,11739784974176592759,8778600465924517839,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
2⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,11739784974176592759,8778600465924517839,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3536 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,11739784974176592759,8778600465924517839,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3672 /prefetch:8
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef67f4f50,0x7fef67f4f60,0x7fef67f4f70
2⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1064 /prefetch:2
2⤵
PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1492 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1796 /prefetch:8
2⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
2⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
2⤵
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
2⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3300 /prefetch:2
2⤵
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3368 /prefetch:8
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3620 /prefetch:8
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
2⤵
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=536 /prefetch:8
2⤵
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3748 /prefetch:8
2⤵
PID:620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
2⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3200 /prefetch:8
2⤵
PID:800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,6909374168980342998,1172651183078116403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 /prefetch:8
2⤵
PID:2352

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2260

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
"C:\Users\Admin\AppData\Local\Temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe"
1⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
"C:\Users\Admin\AppData\Local\Temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
PID:976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:2964

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
ed6ee0ccef27e8eaaa207e84d4c0cfbb

SHA1
a64fb92322975f57bab45209fa6d62ddd48c00b3

SHA256
9b304751bccc46470a1ed655964e711da694ea06f8044da017b61a67121ca676

SHA512
203becd67b55d13d2f60ccf74f09ec428d48258c1079a2ea16049a2e9a9aed6d97780457f9b8abd99b8b8a860cfcad1e81e32b74bad5cea0ad47810766f5648c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0
Filesize
44KB

MD5
c81b65da3dafd516b3554cf7e8ce69e3

SHA1
bd0e7d7145b195b6d6c711f62c4f2896e3f0d5d1

SHA256
d2c0bdebb24cb16376443b8ace32ccc8499c57628cd303d286f5c3eeeb4559d3

SHA512
f5ee232a369c231b284c9abdb79834b3d579cf7fe6d8948fa64b345e8288cd4389739df1a6973fac5c8c517ddc77b72ae952643a15dd4c03f66244104f9582bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1
Filesize
264KB

MD5
694c5d0921a1512638e7a3eb42c22e0d

SHA1
95c70a131dd484185249df9e652fa8e8deaeae3d

SHA256
ee43e01961c4deb609e22d7e37ecc349e40ea14515d99ea4cfd9a96c14d675c2

SHA512
3a7e6dc7652068a5a3944dffa12f89d7e97516d6d56798a44d501db184d9c6cb542646500dbeea4c10bdccafb6276bde8672aeb5f1fdf9e9ebe7cee2b7a80b09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3
Filesize
4.0MB

MD5
7b24b0fa6681255cb6095f64d8bf45e4

SHA1
1eb88b120e8cb2255fd27f7b3c574d31e39ea057

SHA256
b7c39bfa67d6b97ec59c817b6cafd55b561d59a7ab941e28e875f6faf04ebfe8

SHA512
81e07a1497a7f4b4d36e0f865d3a8cafcef62ffeb0c9336860c8d98658b940d312c8a87d5bd6c104da90e122fc185a1c79c3efbdde9c38f4fe15eff77b60c57c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003
Filesize
36KB

MD5
2cbb8c853889e688340a12481716c5a0

SHA1
5c1aa1b06103b13047a1c45b59b76fb566ff64f8

SHA256
5a44717526e02e3613419bf945e446af1214366b9d82569d6de3e1e3d88c73fd

SHA512
82681e32d14f5ce3ada4320133dc0093cf062c93e29d464d423b3d56c6d28cca75388edc07b26e1db3a6c4bbcfbd3aa9e54e52ccf644a74f70fb095cf8321669

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004
Filesize
46KB

MD5
9262812dd9643b893311506ff071e5b4

SHA1
f0a898c4b39193e100cb8a4a0f93e011a2a6000e

SHA256
53703833e65dfdb1dd009aa4708a3b404e37220cb5bba3678f7c973108c70b10

SHA512
046a3d076e5e1643b770a7477c0ce4eedd3fe612a3a5dc9bff99e8bbecd88772573ffbb65482520b5f24fdfd4e7c8adaf7b08c94d69675333f03695371045d97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005
Filesize
35KB

MD5
3dc6b3c0bb1af8db47bd8cdd43543aa7

SHA1
9af4fcc16ff6b8ab30e398c07ef54e1df07768a3

SHA256
f68d1793e65c52c4fd9578e7ffabd7af2d186838787ae9c50665f92a2b17ec25

SHA512
83b72699e64b2f50ab388000de0dbeb14bf2f1ea76d279b3db1686c9d6d168176cd02463dc3995deaa007126b3cd79fbacf16022fcb9f19b25e0fdbc40c75e3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
Filesize
317B

MD5
6ac5098ad5ad4c2b5612fba24603cf36

SHA1
696d591c80468d7ecd59d26a30f44a7a52d39983

SHA256
f47f6c1f68d414f28b3f7419fd7548cefbfdfb3c2f3939f641e9fa3b4e9845bb

SHA512
6f247d3b6cf7bead5068d93ba2bbdff0bd149f4cf3e587a58fe42b852c6d823bc5633df0ee32c144dedcf5fec51c5792494de68840e229004e0e14435a2e1fe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
e35b09216b470bceb6673f4086905862

SHA1
65ba41bdd00a4fb9a4bd0a7def7856ed58297ceb

SHA256
2014be2db9fe708ab19c49824dd841c322531bc500ad778ca8b2454d96cb740c

SHA512
1a6de5de508d0319f4475fe22472822acf12d81dd7676277bf83f3421fc72fdfe414c11e3a5d432e5af6646db5418c1da232756284b7cc845efa81522c8cc09f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Filesize
329B

MD5
e366d8ac5076bb31bbad3a3a8eb5ca22

SHA1
f7264765c6866f8b584806421749a6db74b1c415

SHA256
41dce10d3b0926625c2e34c09c5b262512a6d8149871aab59899b15b846db18e

SHA512
9a2f581bab762784680d679cd1b71f23b70041bed7a0d187ed7bb59bb842cfd94d5af8e4ea65c42f11dc024cb2f607c09e66f9a3ff83539b2389d6d92f72fef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State
Filesize
1KB

MD5
d827e08160b22af878784633a7eb3254

SHA1
8291d8ff21699136c63113995fce55b3185cdff9

SHA256
5d3c9569ac14c19a17d34d9470857cd5f415085b02a8cb927d176a7222f3d287

SHA512
e783d40a2a94c2b3f40fed8575423e3c106d22a0bbcd22526e3c6836327f538dafc18548e145073f4fd6de2861029bd054100d9a3f47958cd49f583b30dc95c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG
Filesize
331B

MD5
1257af19d637d24b025f195b655d0156

SHA1
3f79be0d34c6cb4e270e24bfebb05cbd439b6352

SHA256
a2a21cd77cd3d6ff1dd391dd46a48960c56972a048150022dc4a6a3aad7f051d

SHA512
2846c1811eae4d748cc89f18e4911d90129524acc03678a757bf71b6d553f165f11abfd492fc9a5d86cb72487d8fb0644aba16dbb68c0a96e350ec43051da886

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
bbe7b3cf1ecf08599c6c94affd041c10

SHA1
3cb70bd0941b46329d4e8f89e4abfcb3e186645f

SHA256
173e543d38d524397601258cb0a99977e5804670cefd50d1b8438c3f5f50383e

SHA512
210383640aa18cb1b44fbfae91a1a8d4a5ea54e34b549d0bbafa94e70d38acdba7d7ec56df02d3c80dfeec3298a80d44b8f5051ca22f832da5679f731517df09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Reporting and NEL
Filesize
36KB

MD5
79f5711d201447354a00bbe5bd7f5f9f

SHA1
37111fb4eefdb0ddd1971bdbf1b89b72c08e6c6b

SHA256
b17368cb2adaf54657e5469898d5570e49156ab65e55c9d67e3b3c133503a848

SHA512
009fb0ccf362c82c04f2044af7d474493bc1be50ae3619e819a00b5b6f7f6eec9128170911ed488f8c44787a0a952d9b939b7e26f86acc02dba74e96bab9458c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Reporting and NEL-journal
Filesize
8KB

MD5
1c11f3b71a8ae7fbfda95628365a5140

SHA1
3f3420fd348b8b7d588c459ae36a2c971362ef61

SHA256
50ebbd3fe1bf850638884d79e410c742f6c9cb52bdca4860f9e883d345eea4bc

SHA512
87effe9321264da567b3c3e3923d729af071d72060e2aa1808d9a457ae688dc37bce52c5fccaa4395219a865fc42377bbc5d1e01c8a60a4fd48856f51c013fc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
60c937234908b961af9e6d372a62c9bc

SHA1
4497933e45422698b110e998548eae17f331cbbe

SHA256
fd26c493c57f8a6fbaec9808893513cdea7fcf74ff8c0109b383e27043977aa2

SHA512
a6f33242ed3633741b501e0a9305321fa3521724f8c6fcd9730ed0ce1a18db90e1bfa3485f5a2b8ceaa99cc19c2573d09f3779fac877a6b8c9b14575e4dbd4c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log
Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
Filesize
317B

MD5
da4af069e0f7406ca176717180ac747c

SHA1
42d25726418957b646e1d7834c2e5aaeec30f557

SHA256
a7560c893f7cc391fc400a6d0d6e2e6381519c999ff83334fe1baaa81973ff88

SHA512
21b434675ff34045be1da7e884d7363455af232f9155cbcab91338e09adc55152b8d9c952f9ab9dccd5c4f768865ddf685de49cd266dedde23ab7cde98ea0bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13318032984055000
Filesize
669B

MD5
a56fa9fa11964f802fafb79102a69d23

SHA1
acd72489be42ddd36009173d89c4522e91eb932d

SHA256
c1e735d1b3d7118030ed39bc2a07f61b7f27bfb6b960c15cf83153bb3a528605

SHA512
9bf917fff1e1167d2929f4d87f679ccf2bc47d208898ce6c75b41703208df5a910ef95249c1d4653c1c5b205435f9e36936bfb5e1cf2f8246ff2ae00b792a4e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
Filesize
345B

MD5
970ca0b1f27b49ff1267b90b9feb14e2

SHA1
31a4ddc901e25fccc0289b19fbe89c7845199c60

SHA256
ab1b48be1acc6af8c415002702ce52d681c7bfbd4b74d2f4e8996bc08650f030

SHA512
43880df82a5058b4bc0d771d63e6747836944674340b076780bfcb247c125d9b1954ed5fddb3ba3166edcc9f51364365ff47b0640b445cbe71be53d75085cb58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
Filesize
160B

MD5
de92ad90be6d3364745b2f73f4c3cf73

SHA1
9158681463bd30e5af4dda4baac81f93cedbda77

SHA256
0025a3e0d3b834401b3b5f820e1991ef7e810d9a4b8b6b579e6301c94e7031a0

SHA512
9e81cefc195439439f4b23ee7696309d7bc3c08e5b444d2abde26d2f12b2d3bcfd124fb9a2d40c6389e9f787741676fad366a2e9982674e7b931028c014d8a79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
Filesize
321B

MD5
894a4eb0585a615d017efa407b33952f

SHA1
f4ccb18f4457d3a64fc3cb5c63b4ac6f55d63518

SHA256
d9af9a78ee3d68eba5936beb33552811d990565bcb3c4c5e64e2a46af817ab1d

SHA512
d2d2a5bb5839cbc844b3c9d5e3bc274974d77c9c254b7db3c01e84a6a1778dadaa10622679e04cbb1f43e45b2b4fbc6a3d3eea5e1a7adb8f7062f2ec0a36dc66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
Filesize
518B

MD5
e0f378aba0d69d340d8e4db33b1c0eed

SHA1
a6c61a3f0cf57220fe89c91e67a518a985f8ac04

SHA256
95122c691287f5c60028324cf9aee78bfbbbecd88997869123cac4cdafc019dd

SHA512
03ac0abb20ae7c148e6b6c2e901813502c05f12598ccb622a9b2d0aa8e16255b83b3eebbf03cdc9656305557d773819ffd3758ac2f1108a69abdb64189080aac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG
Filesize
45B

MD5
c86d3626267e3a3daa78622b403bbcec

SHA1
ee1a4c78e14664b3671ec0589643c231756bcb29

SHA256
0921f4f1c46ab7aa362c94d94a8d03c785523d8bc3e0ffd0d4d509d28c7c8e07

SHA512
fca4361deb7aa007c2f97a921c66fb33617597d68136a7df0a08ff9a21fbde3b7566b78c54f6a03aabb359d2c6a97984596737c0056974a4a2911d0e7b9aaba1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002
Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db
Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db
Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
13B

MD5
b63048c4e7e52c52053d25da30d9c5ab

SHA1
679a44d402f5ec24605719e06459f5a707989187

SHA256
389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1

SHA512
e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
106KB

MD5
f46ff7e2848aed60f820a876bff1c402

SHA1
1a0bb94e73ab589e8b045101b92eb8b58acb783f

SHA256
92a58f199199ae573665177107a538e673f8266f00d53f4110444a690bf4c749

SHA512
40583825f9f9e5151405f5dfa0adeb4f1ab27c7fc1dbf52400cc8aa3aaaaf55499c4d98d18abcf9860e4f05d93472e607da319e291274dd6a5f94cc56faae560

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
Filesize
6B

MD5
30a9e63c4f094caec2e822efcfc9131e

SHA1
7b38f54625634334d10a289b440ceb75d48003e0

SHA256
597c93cb9cf1d440277f369639f22bd0a8845ba06a314303f0820c839da4fea0

SHA512
4888c7df0dfb37c97de6a354d1afec86084fa334e755295ffc2a354164ecc476d9516dbdeedc81af765d7e6b96e7b6509d5884cd57f933f47e4de05732ad9a31

Download Submit
\??\pipe\crashpad_1412_HBUZOXDEKOZCNPNR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_2396_TEKVQANRGOOCVJME
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/976-119-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/976-121-0x00000000005FC000-0x0000000000617000-memory.dmp

Filesize
108KB

Download
memory/976-114-0x00000000005FC000-0x0000000000617000-memory.dmp

Filesize
108KB

Download
memory/976-129-0x0000000002F60000-0x0000000002F70000-memory.dmp

Filesize
64KB

Download
memory/976-117-0x0000000002240000-0x00000000022DF000-memory.dmp

Filesize
636KB

Download
memory/976-126-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/976-125-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/976-124-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/976-123-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/976-122-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/976-113-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/976-120-0x0000000002730000-0x0000000002839000-memory.dmp

Filesize
1.0MB

Download
memory/976-118-0x00000000022E0000-0x000000000240D000-memory.dmp

Filesize
1.2MB

Download
memory/984-65-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

Filesize
8KB

Download
memory/1208-128-0x0000000000000000-mapping.dmp

Download
memory/1864-61-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1864-60-0x0000000002630000-0x0000000002739000-memory.dmp

Filesize
1.0MB

Download
memory/1864-66-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1864-59-0x00000000004E0000-0x00000000004FF000-memory.dmp

Filesize
124KB

Download
memory/1864-64-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/1864-63-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/1864-62-0x00000000002AC000-0x00000000002C7000-memory.dmp

Filesize
108KB

Download
memory/1864-55-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/1864-57-0x00000000021A0000-0x000000000223F000-memory.dmp

Filesize
636KB

Download
memory/1864-54-0x00000000002AC000-0x00000000002C7000-memory.dmp

Filesize
108KB

Download
memory/1864-58-0x0000000002240000-0x000000000236D000-memory.dmp

Filesize
1.2MB

Download
memory/1864-67-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/2700-106-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2700-105-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2700-107-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2808-112-0x000000000063C000-0x0000000000657000-memory.dmp

Filesize
108KB

Download
memory/2808-111-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2808-109-0x000000000063C000-0x0000000000657000-memory.dmp

Filesize
108KB

Download
memory/2964-127-0x0000000000000000-mapping.dmp

Download