hxxps://yandex[.]ru/

Resubmissions

02/06/2023, 07:11

230602-h1bvssac99 6

02/06/2023, 07:02

230602-ht5jjaag4s 6

02/06/2023, 06:41

230602-hf5mdaaf8w 6

Analysis

max time kernel
247s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2023, 07:02

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://yandex.ru/

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*Restore = "C:\\Windows\\System32\\rstrui.exe /runonce"	rstrui.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\SystemRestore\RestoreUI.0.etl	rstrui.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009865abc95f2d4b980000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009865abc90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809009865abc9000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "87"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5096	chrome.exe
5096	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2232	rstrui.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5096	chrome.exe
5096	chrome.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeBackupPrivilege	428	vssvc.exe
Token: SeRestorePrivilege	428	vssvc.exe
Token: SeAuditPrivilege	428	vssvc.exe
Token: SeBackupPrivilege	4420	SystemPropertiesProtection.exe
Token: SeRestorePrivilege	4420	SystemPropertiesProtection.exe
Token: SeBackupPrivilege	4968	srtasks.exe
Token: SeRestorePrivilege	4968	srtasks.exe
Token: SeSecurityPrivilege	4968	srtasks.exe
Token: SeTakeOwnershipPrivilege	4968	srtasks.exe
Token: SeBackupPrivilege	4968	srtasks.exe
Token: SeRestorePrivilege	4968	srtasks.exe
Token: SeSecurityPrivilege	4968	srtasks.exe
Token: SeTakeOwnershipPrivilege	4968	srtasks.exe
Token: SeBackupPrivilege	4820	wbengine.exe
Token: SeRestorePrivilege	4820	wbengine.exe
Token: SeSecurityPrivilege	4820	wbengine.exe
Token: SeBackupPrivilege	2232	rstrui.exe
Token: SeRestorePrivilege	2232	rstrui.exe
Token: SeSecurityPrivilege	2232	rstrui.exe
Token: SeTakeOwnershipPrivilege	2232	rstrui.exe
Token: SeManageVolumePrivilege	2232	rstrui.exe
Token: SeBackupPrivilege	2232	rstrui.exe
Token: SeRestorePrivilege	2232	rstrui.exe
Token: SeBackupPrivilege	2232	rstrui.exe
Token: SeRestorePrivilege	2232	rstrui.exe
Token: SeSecurityPrivilege	2232	rstrui.exe
Token: SeTakeOwnershipPrivilege	2232	rstrui.exe
Token: SeBackupPrivilege	2232	rstrui.exe
Token: SeRestorePrivilege	2232	rstrui.exe
Token: SeSecurityPrivilege	2232	rstrui.exe
Token: SeTakeOwnershipPrivilege	2232	rstrui.exe
Token: SeShutdownPrivilege	2232	rstrui.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5084	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 1428	5096	chrome.exe	84
PID 5096 wrote to memory of 1428	5096	chrome.exe	84
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 2784	5096	chrome.exe	85
PID 5096 wrote to memory of 768	5096	chrome.exe	86
PID 5096 wrote to memory of 768	5096	chrome.exe	86
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87
PID 5096 wrote to memory of 1568	5096	chrome.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://yandex.ru/
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdec439758,0x7ffdec439768,0x7ffdec439778
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1744,i,362657479166518541,12247807151636648454,131072 /prefetch:2
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1744,i,362657479166518541,12247807151636648454,131072 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 --field-trial-handle=1744,i,362657479166518541,12247807151636648454,131072 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1744,i,362657479166518541,12247807151636648454,131072 /prefetch:1
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1744,i,362657479166518541,12247807151636648454,131072 /prefetch:1
  2⤵
  PID:1216

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2120

C:\Windows\system32\SystemPropertiesProtection.exe
"C:\Windows\system32\SystemPropertiesProtection.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4420
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\system32\rstrui.exe
  C:\Windows\system32\rstrui.exe
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1936

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3988055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
831B

MD5
c6e5ce65441d174e13930c8e119468c6

SHA1
0241c381fcf4c4f60f119ea4ff5b99e49a17944d

SHA256
6e21e7129c2cde6909d1ba5b4d5b8611fd819ba23ec4a85d5eb9cb9731981563

SHA512
fa9d5dc54341488232fb331a173d1ea78350ef1776048540edc9aacd7d4f4807168db873eef32941c9ad1bf51af8cc799740eaa6b04e37dd89d0ac774d41582e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
b739d617cab13cddf1b6ab338805aee6

SHA1
2cf70694dce7b22393d5f73e9e1d96d5d1586b82

SHA256
611959ab87821a7340c541e25341821035974fb52df137e4790f0dcc0d0a48d1

SHA512
9f43b7c871f13aacd86b2bc3d01d396da878b4cbe3a8a34eda63642e60b9125459b8852187fda22cc30041e10ce4ea35872364634265a28834e0abd41e67152f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
143e7f2e8ecaac6131aad6ecd64df2d1

SHA1
907788f052a8cd0f7bbed8f12a543555fab61892

SHA256
a2e5e33e1ae52068a5219d2fe86fbc6eddf4ae83d9258e120b60aa4dabbed9ce

SHA512
50e0f6f67ba846dad414fc99dafa8d222fcfabfc63ce9431b3fc37750c2db35a232fd4e88177d268a3bf93703ff065352b243b458855c198e38651fa12e3ab43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b8572be53b8533e086a3718de020c553

SHA1
48a2aadaf170d9cf1fe480632d8d8171f84350f0

SHA256
e56122a5ede0f8e9e6c03d520a4385c210708fac83f9064b56effa511771c319

SHA512
a975b2619a1f8b243f284baedb1106ca94c32b643587f0419059ce19366b5ba0290330602b80fe5f313d13a32a5a37ca7eb081b10d21ba9373fdcaa44b5b03d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
0b0fe120f141f612907c1c09f2cce133

SHA1
eb9f9c8ad5be99929b418095f09653a51ad443b3

SHA256
5f20440acac9ee6a946550b47e9da96bfe34a7be8be8a8996f12cb4fbad7b409

SHA512
5934cfe450bb99dcd0615c1d28eccef4d22788634ea6fc962baee8d54f23474d3a2cf07211e9e00740cd67ce9c0095f46721e97e15a0cfe7166a084092ed2902

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
673179f4558391703ad880ca3e91d69d

SHA1
1bbfe9a8b7e24d47da69494242ec43592e5634b4

SHA256
786f70dc9ff89453414a46534d43f31a80d715e3fa66f5424b18dad52a63bfde

SHA512
ee43671d34ea95947976e0731542d1f897971e0ad32ba2537bf8cfa765a30867e60c4f10a236f8a18d339590102707dea78adc3420103fc3e445bd58ae835527

Download Submit
\??\Volume{c9ab6598-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{94df22a9-9abb-4bae-a02f-66cd4395f82d}_OnDiskSnapshotProp

Filesize
5KB

MD5
0989d15e23eeb7040aaff71d04d46018

SHA1
0fe4dff74a1c8872b99ed812abf59828d911b076

SHA256
e5913073c6cd17ec60c33b0152c342492844e783932934fe9ef81a0f786ecb6d

SHA512
ca331dd7d353b7e087140f71b9a37820542f492b4724166b1a1b62101db7b37ae110423bf0844cddbbd13b68e0f81b1183cb2aa13a55b7be1baf1c60b925018a

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads