gandcrab | 42dc6eb5ab00270fbbd9e987649c7b4af7fc0c54e11b362d2b7fcb1129ad6ea2

Resubmissions

31/08/2023, 18:55

230831-xkv13ahc81 10

31/08/2023, 18:50

230831-xg4h2ahe88 10

Analysis

max time kernel
76s
max time network
143s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31/08/2023, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
Size

250KB
MD5

fd12370aefc258ee6b5ea6e8183ff8b3
SHA1

2e3ffaef12e0d1c7f7466b02adb030bc8e0b7d38
SHA256

42dc6eb5ab00270fbbd9e987649c7b4af7fc0c54e11b362d2b7fcb1129ad6ea2
SHA512

968ecd92b0fca2fdf2195a54c4b9a79eb054bc067210a3e7b8ce4929df2a7df7aa381cbcf927545cec30dab08cd2ef5f00350080a64579cdc9f73519133d0c45
SSDEEP

6144:9+YrOIBjaklexBgiJ8sTSIkIpxIp8mDtfPBRwasxXq:9OCjaklYgVIpxIhDtR

Score

10^/10

gandcrab backdoor persistence ransomware

Malware Config

Signatures

GandCrab payload 4 IoCs

resource	yara_rule
behavioral1/memory/2780-3-0x0000000000400000-0x0000000000444000-memory.dmp	family_gandcrab
behavioral1/memory/2780-4-0x0000000000290000-0x00000000002A7000-memory.dmp	family_gandcrab
behavioral1/memory/2780-12-0x0000000000400000-0x0000000000444000-memory.dmp	family_gandcrab
behavioral1/memory/2780-14-0x0000000000290000-0x00000000002A7000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lczkfkduxct = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\gqicno.exe\""	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\H:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\J:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\P:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\E:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\K:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\O:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\T:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\B:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\I:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\L:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\M:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\N:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\Q:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\R:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\U:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\V:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\W:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\Y:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\A:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\S:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\X:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
File opened (read-only)	\??\Z:	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
700	chrome.exe
700	chrome.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeDebugPrivilege	2252	taskmgr.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe

Suspicious use of SendNotifyMessage 49 IoCs

pid	Process
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe
2252	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3044	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	28
PID 2780 wrote to memory of 3044	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	28
PID 2780 wrote to memory of 3044	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	28
PID 2780 wrote to memory of 3044	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	28
PID 2780 wrote to memory of 2964	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	30
PID 2780 wrote to memory of 2964	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	30
PID 2780 wrote to memory of 2964	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	30
PID 2780 wrote to memory of 2964	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	30
PID 2780 wrote to memory of 3004	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	32
PID 2780 wrote to memory of 3004	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	32
PID 2780 wrote to memory of 3004	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	32
PID 2780 wrote to memory of 3004	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	32
PID 2780 wrote to memory of 2736	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	34
PID 2780 wrote to memory of 2736	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	34
PID 2780 wrote to memory of 2736	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	34
PID 2780 wrote to memory of 2736	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	34
PID 2780 wrote to memory of 2684	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	36
PID 2780 wrote to memory of 2684	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	36
PID 2780 wrote to memory of 2684	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	36
PID 2780 wrote to memory of 2684	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	36
PID 2780 wrote to memory of 2808	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	38
PID 2780 wrote to memory of 2808	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	38
PID 2780 wrote to memory of 2808	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	38
PID 2780 wrote to memory of 2808	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	38
PID 2780 wrote to memory of 2992	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	40
PID 2780 wrote to memory of 2992	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	40
PID 2780 wrote to memory of 2992	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	40
PID 2780 wrote to memory of 2992	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	40
PID 2780 wrote to memory of 2428	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	42
PID 2780 wrote to memory of 2428	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	42
PID 2780 wrote to memory of 2428	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	42
PID 2780 wrote to memory of 2428	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	42
PID 2780 wrote to memory of 268	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	44
PID 2780 wrote to memory of 268	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	44
PID 2780 wrote to memory of 268	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	44
PID 2780 wrote to memory of 268	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	44
PID 2780 wrote to memory of 992	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	46
PID 2780 wrote to memory of 992	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	46
PID 2780 wrote to memory of 992	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	46
PID 2780 wrote to memory of 992	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	46
PID 2780 wrote to memory of 912	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	48
PID 2780 wrote to memory of 912	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	48
PID 2780 wrote to memory of 912	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	48
PID 2780 wrote to memory of 912	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	48
PID 2780 wrote to memory of 2588	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	50
PID 2780 wrote to memory of 2588	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	50
PID 2780 wrote to memory of 2588	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	50
PID 2780 wrote to memory of 2588	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	50
PID 2780 wrote to memory of 1832	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	52
PID 2780 wrote to memory of 1832	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	52
PID 2780 wrote to memory of 1832	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	52
PID 2780 wrote to memory of 1832	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	52
PID 2780 wrote to memory of 1612	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	54
PID 2780 wrote to memory of 1612	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	54
PID 2780 wrote to memory of 1612	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	54
PID 2780 wrote to memory of 1612	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	54
PID 2780 wrote to memory of 2116	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	56
PID 2780 wrote to memory of 2116	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	56
PID 2780 wrote to memory of 2116	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	56
PID 2780 wrote to memory of 2116	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	56
PID 2780 wrote to memory of 2892	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	60
PID 2780 wrote to memory of 2892	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	60
PID 2780 wrote to memory of 2892	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	60
PID 2780 wrote to memory of 2892	2780	fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe	60

C:\Users\Admin\AppData\Local\Temp\fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\fd12370aefc258ee6b5ea6e8183ff8b3_mafia_JC.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:3044
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2964
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:3004
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2736
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2684
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2808
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2992
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2428
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:268
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:992
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:912
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2588
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1832
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:1612
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2116
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2892
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2980
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:1732
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1740
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:3056
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1048
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:1044
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1704
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2384
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2388
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2552
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2872
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2656
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2336
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2352
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2344
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:836
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:536
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:1720
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:540
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2372
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1888
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2652
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:932
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2176
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2568
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2268
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1992
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:328
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1680
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:1040
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1224
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:1712
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:880
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2884
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1932
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2376
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1084
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2256
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1156
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:1188
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2476
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2532
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1300
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2412
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1008
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:680
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2304
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2404
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2188
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2772
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2536
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:3064
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2836
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:580
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1940
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:292
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:1984
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2312
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1116
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:1216
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:524
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:2456
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:2364
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:2244
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns1.wowservers.ru
  2⤵
  PID:2348
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns2.wowservers.ru
  2⤵
  PID:1424
- C:\Windows\SysWOW64\nslookup.exe
  nslookup carder.bit ns2.wowservers.ru
  2⤵
  PID:1808
- C:\Windows\SysWOW64\nslookup.exe
  nslookup ransomware.bit ns1.wowservers.ru
  2⤵
  PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7bd9758,0x7fef7bd9768,0x7fef7bd9778
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:2
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:1
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:1
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1480 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:2
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:2
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2208 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:2
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1428 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3448 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3496 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3748 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:1
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3720 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2496 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3804 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4224 --field-trial-handle=1292,i,775038652511053805,10202573601670512960,131072 /prefetch:8
  2⤵
  PID:2284

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:524

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4728100924005643838328625301138154365-680077382-1738078147548394694216688992"
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf77e965.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
09a05c556fc97d0dc61c89822cf3904b

SHA1
51f78eabd5f1c2b8208e2e3cfeddebf795ca2a70

SHA256
8a27c193d4142e8e81bd85e3af4b8e3ab6b4801b99c87f6c1cab7d8066e2b818

SHA512
bb79451183f972b09dcae59ba6ee5e147c4f4919b930de6dfab060e2b788dad9a8e36511e4ea252faf9c10a85cbd8b1ecb96059ac1689068bf1e271a5728455c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
8e482e08fbdf4107e846397d983004e7

SHA1
760addbb300c2d4ce26e8a372b398c64ac1d81e8

SHA256
036ae16d60e01c8b3da628916d0afbd65a8e3339158ad71eb8aed0dfb6e23a31

SHA512
c5629d87852b6701600e5d51dcb71e347c0883b1b4d72467fdb6d514d8f8b5bcaf9f84a4bde58c6499858c8926c7d3165e6eb8ac9a92e99c48c509a000b9d108

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
49eafce1c924f7b5ad71d5d140298d36

SHA1
9b1c960e33bdc9aff92579016b722a611b88ceda

SHA256
da2452caf0878384a52f14e60891ffe17264d302b9b08338e3d5c91e67ad6717

SHA512
ce58ed67df79cd15609646412faa24bbd40c8e9802ee8b5093c916351224d25286b6b26b0dec1dbc446cedcdfe7c3c3427844f662086eecdac981e46c6f6d86d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
da88694f01b94b71ff2f12e9f7b1e531

SHA1
a3c4183bc13a8ac5ce4dbed80a24ba4c203bb67f

SHA256
6ad72bf2e10305e0934d436c64c4dd70869159c3de3c16cb686d4da5de592274

SHA512
90719bcfc19a9dcabeca8a913280f747505066a83f4377ad14b599050731ccffb5f16340cae3ae8e5a3df6f0e05cb8f17c53279aae011d3b675bcd4d9223512f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
b74870cc2f2f1b6871b0278dfd7158f0

SHA1
7efac430e3d19db445a10558f71cb582da4d1ad7

SHA256
009a91feb1b2a72ba79d1161943e1d351ad80cd2569f45bceb5e4228c594395d

SHA512
88643b7579a91ae51a146362fd944be401b031119d5d62d77290d9b3dbc1c42ba65ef8b29cc87d9831a6b180f785b55b6afa99bf0b67667dbc364253eec11728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
185B

MD5
3aedc9191c085203f61e3615f3bf2f90

SHA1
60d278a559ce144f192edaa9ed6dcf07dc63918b

SHA256
94f7303a4bd281bf7979222eaa0379dd865a2b9cf10543fb6e92c120e4c5d1fa

SHA512
bde286b39f63d1e7ebd886476154a68e0ec650416c4d856509802bf3f70d48f1c0fecd9b912fa6c596459697bed1d50ff7254e7678a1d03a06723d0fdd509594

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
89bfe0e78e54b15d9418764df536c55f

SHA1
cdf7727d70be18f593caa7b8cecf74dcee3bfd1f

SHA256
a21a04a095d523ef2b70e80e84608e4913ca7f9319ae3391bea095105789fe23

SHA512
d1432eeecca2b50bfe1dedb379dd375fe9a21f8c5b7467d00828924a7777b283ae2ac6dc8d90129dc5a23aab086072a46020212a11319ca456f028d4efc9c95f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
memory/2252-541-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2252-528-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2252-596-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2252-592-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2252-579-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2252-552-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2252-526-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2252-70-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2252-527-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2252-551-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2252-69-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2252-542-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2252-479-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2252-529-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2252-539-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2780-4-0x0000000000290000-0x00000000002A7000-memory.dmp

Filesize
92KB

Download
memory/2780-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2780-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2780-11-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2780-1-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2780-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2780-14-0x0000000000290000-0x00000000002A7000-memory.dmp

Filesize
92KB

Download
memory/2780-0-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download