sodinokibi | 3f2198870df4c4d85119f93bbc803d4abc24925e336462168384f285b5855187

Analysis

max time kernel
78s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16-09-2023 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

166KB
MD5

5bab7e6528a56bd5d3a76d01ec3ab45f
SHA1

4b9495fc06c67e4419a0cf3d70b6285e9808afc4
SHA256

1dc818f51827d89a545493921f8648299f3eb367c1e0354969ccaa9df7ce77b5
SHA512

7c59fca6ffa7d1fd55f7c2268c22193d48c4082277f95c882b1e7df93f011a86c036f569c5bb8dc0a83aebe9bf44df9e7f11aac99ea0c33f917e63e80c2b07c4
SSDEEP

3072:EJMawtnGqtWoKeZC62aoNUSncs0whq2aWc54aF:+w9vteQJYUocfWLK

Score

10^/10

sodinokibi persistence ransomware

Malware Config

Extracted

Path

C:\Users\11379n7c-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 11379n7c. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0318A68183AD3849 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/0318A68183AD3849 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: KJZYvUd9xS3vbKITZ7D+o5va5GGpetT2jkDtRToWOlGNDd78AbMszvGMY4qKfYGO /Po3e54Chh8xk9CXPK7XZgsMybmhJqhU4Inktgb4oMe4Lh4hyTNRANeBWhX6QPrw lwxtqRQpli/kGGmPzyOMkh+UJxRgoMTNJWYjP96jSUnLBSM5W+18ADnZI3vkf1Sw PuJbf86Hz5vuLFy4jGrQ/5MVPziMTjIbvgeVPXx2HtlKKXqa58DueaS3H9p4iLWs doej/SjVv3h5qt4dIYAq0YY1YYD3Qi/vukFD9zAUfTop4hGqm8Vkl12ETQQZCUE4 tC3+Cx9/kyVFqJR6BZwX9mxxyJjTbJX5yW5DnQWZgdBBgKADVnvQ3IMSnw/+k2tX z1ybCObKVTqPJ4uqUkYrNVDx3IlmU0MzLq/u7pCkikeEf5mGFcnsEU83BHg6G0Xw hCx35xaqfS73mfRBH3Yg4oMAUBIcOzVAYvKBEMtO9UbKrAwqMqLB0ovldS4lmlsQ 8zIZxXFqtS1tyUZMJpSDvY3pZDd/Q8FsLuilIvwHqZWVijk85EemhOolL8f7j5pT 8pCxjRt4eZB9IDi2FqDtCurwn2JQTsCLOJXnSd5zhM+BhQZ3p+uT+kPw89hJ06Pz 0r75H/bLkguieFbWXc83Yf3AM2guw3yfPivSifx+/YPlH0TQhMQY/xslouuOIs2E uo5rGrfacEHIGYuYJfkI5GZhmxArdtyxqAOYqnSs9IxJp7aRbmdMKN/+9D8Dd+Gz BDiUkNo1RB6+2joOgTNlt3YgT14U794DxvMihilTEBPJSpPR+mymvTELAmJOsI1R +Z/7NQh61f3XIXM7v2Loh0FHnXrH7TEIN88jLmWP6+ImqVJT/8VGbIlzvk9gkemj PumQtGI8R8gsVp72EYxrdV0dWQS7uWQIkH9nLbyOT5X68HoGFvHGTzewsG/Pp1AY livCITruLIJYa+KdtX8XMZdcdfs/xoGDGHic8QZU0mpbMcqg9yvwp3fZs5NMYHCn RuAsOqM4mZ7bvdA1FAFRTyNB06hyx6+tIiLA+93bbiv3PS9Br/P7DIxxBcpVkPLC MKKxqp5f/hu98EcAI+sU0ByoyyvJ4rAfnuELEetyhYxR7QCPexNJ83lyBpWPmR55 L+2aGsEZ6f6DkrCRDCpaDADYUJvAysKb5XTjOMxo4TjKvZUfXOuG9+VKtnMTDsqL kQiu5/g7ETRlGRv6L6MDO325Qkftl5NK7+TYNTOWwUsIGOL7r1GnZZ8Ibry5hywa TVoH5Kj12z/1AjpI47HORFYpqevVmaJxp50oKgrqfdT0XyvryB5n1uRb5v5em4a6 jGlSTNzeUelO9jXG/oMFMAdmQIpouBR+Tf28P1UuuQaxNIlz Extension name: 11379n7c ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0318A68183AD3849

http://decryptor.cc/0318A68183AD3849

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oXnEn2JlQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	svchost.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\D:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
74	ipinfo.io
75	ipinfo.io
76	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	svchost.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9j5nob17p49b.bmp"	svchost.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\WaitAssert.html	svchost.exe
File created	\??\c:\program files (x86)\11379n7c-readme.txt	svchost.exe
File opened for modification	\??\c:\program files\GroupRepair.mp4	svchost.exe
File opened for modification	\??\c:\program files\WritePublish.clr	svchost.exe
File opened for modification	\??\c:\program files\ReceiveRestore.xml	svchost.exe
File opened for modification	\??\c:\program files\UpdateCheckpoint.jfif	svchost.exe
File opened for modification	\??\c:\program files\ConnectResolve.ADT	svchost.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\11379n7c-readme.txt	svchost.exe
File created	\??\c:\program files\11379n7c-readme.txt	svchost.exe
File opened for modification	\??\c:\program files\CompleteRevoke.aiff	svchost.exe
File opened for modification	\??\c:\program files\RestoreInvoke.xltm	svchost.exe
File opened for modification	\??\c:\program files\TestAssert.ini	svchost.exe
File opened for modification	\??\c:\program files\WatchRedo.7z	svchost.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\11379n7c-readme.txt	svchost.exe
File opened for modification	\??\c:\program files\BackupLock.mp4v	svchost.exe
File opened for modification	\??\c:\program files\JoinUndo.tmp	svchost.exe
File opened for modification	\??\c:\program files\RestoreResume.contact	svchost.exe
File opened for modification	\??\c:\program files\DisableComplete.DVR-MS	svchost.exe
File opened for modification	\??\c:\program files\ProtectInitialize.rar	svchost.exe
File opened for modification	\??\c:\program files\EditPop.emz	svchost.exe
File opened for modification	\??\c:\program files\EnableJoin.vssm	svchost.exe
File opened for modification	\??\c:\program files\RedoPing.vb	svchost.exe
File opened for modification	\??\c:\program files\RenameBackup.mpg	svchost.exe
File opened for modification	\??\c:\program files\StartApprove.zip	svchost.exe
File opened for modification	\??\c:\program files\UpdateUnblock.mp2	svchost.exe
File opened for modification	\??\c:\program files\EnterInstall.ex_	svchost.exe
File opened for modification	\??\c:\program files\LimitEnable.mp4	svchost.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\11379n7c-readme.txt	svchost.exe
File opened for modification	\??\c:\program files\LockSearch.midi	svchost.exe
File opened for modification	\??\c:\program files\SearchUpdate.mov	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000020000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2052	svchost.exe
2936	powershell.exe
2152	chrome.exe
2152	chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	svchost.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeBackupPrivilege	2868	vssvc.exe
Token: SeRestorePrivilege	2868	vssvc.exe
Token: SeAuditPrivilege	2868	vssvc.exe
Token: SeTakeOwnershipPrivilege	2052	svchost.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe
Token: SeShutdownPrivilege	2152	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2552	NOTEPAD.EXE
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe
2152	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2936	2052	svchost.exe	29
PID 2052 wrote to memory of 2936	2052	svchost.exe	29
PID 2052 wrote to memory of 2936	2052	svchost.exe	29
PID 2052 wrote to memory of 2936	2052	svchost.exe	29
PID 2152 wrote to memory of 540	2152	chrome.exe	42
PID 2152 wrote to memory of 540	2152	chrome.exe	42
PID 2152 wrote to memory of 540	2152	chrome.exe	42
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2444	2152	chrome.exe	44
PID 2152 wrote to memory of 2316	2152	chrome.exe	43
PID 2152 wrote to memory of 2316	2152	chrome.exe	43
PID 2152 wrote to memory of 2316	2152	chrome.exe	43
PID 2152 wrote to memory of 2256	2152	chrome.exe	45
PID 2152 wrote to memory of 2256	2152	chrome.exe	45
PID 2152 wrote to memory of 2256	2152	chrome.exe	45
PID 2152 wrote to memory of 2256	2152	chrome.exe	45
PID 2152 wrote to memory of 2256	2152	chrome.exe	45
PID 2152 wrote to memory of 2256	2152	chrome.exe	45
PID 2152 wrote to memory of 2256	2152	chrome.exe	45
PID 2152 wrote to memory of 2256	2152	chrome.exe	45
PID 2152 wrote to memory of 2256	2152	chrome.exe	45
PID 2152 wrote to memory of 2256	2152	chrome.exe	45
PID 2152 wrote to memory of 2256	2152	chrome.exe	45
PID 2152 wrote to memory of 2256	2152	chrome.exe	45
PID 2152 wrote to memory of 2256	2152	chrome.exe	45
PID 2152 wrote to memory of 2256	2152	chrome.exe	45
PID 2152 wrote to memory of 2256	2152	chrome.exe	45

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:592

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\11379n7c-readme.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4e29758,0x7fef4e29768,0x7fef4e29778
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1448 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:2
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2168 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2180 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1128 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:2
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1560 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:8
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3452 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2760 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:1
  2⤵
  PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4008 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4316 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:1
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4284 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:1
  2⤵
  PID:588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3704 --field-trial-handle=1208,i,5975411884799717132,10192538254572955452,131072 /prefetch:8
  2⤵
  PID:2792

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1880

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\Desktop\SyncProtect.xml"
1⤵
PID:2892
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  PID:2504
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    PID:228
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:228 CREDAT:275457 /prefetch:2
      4⤵
      PID:2980

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\11379n7c-readme.txt

Filesize
6KB

MD5
cea2cac8ceb59219a484c03c0bda3a51

SHA1
c1ebdacf2870b221a9f0dadfd7af5f25471f7a4e

SHA256
2332197a453ff91f62a6ed086337232c393881b7084685c1d38e18c7adcac3a0

SHA512
abc9afed9f707c9064205b3d64226e7aac91346d4ea03cd7cf9115cf45c5d7b2e28de98f08e8b53a4ea550db9c59c7bec64a354d3d48bf971f46e55025498c70

Download Submit
C:\Users\11379n7c-readme.txt

Filesize
6KB

MD5
cea2cac8ceb59219a484c03c0bda3a51

SHA1
c1ebdacf2870b221a9f0dadfd7af5f25471f7a4e

SHA256
2332197a453ff91f62a6ed086337232c393881b7084685c1d38e18c7adcac3a0

SHA512
abc9afed9f707c9064205b3d64226e7aac91346d4ea03cd7cf9115cf45c5d7b2e28de98f08e8b53a4ea550db9c59c7bec64a354d3d48bf971f46e55025498c70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d535d440c882bf8af670db92c2de7c3

SHA1
fd4c6379e956d5ea6f8c277aaa18cbdb94b5f13f

SHA256
fb59b8faf734e74ebd30e6b365ad4bafb4087b91a453ba58c729ee4d12bbf66e

SHA512
40f065c8dfa067b63efba1dc48f6838b0c2952751126dc3f7bf5540e9641d24cfaee9cdcd7cecbd7d3116351f924b0cd9b61a8183029e833f1ebcb25226d0450

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4a2e7f85cc6d7bdaffbfaa7ec55c4fa3

SHA1
883ad698f236fe2772cdadf329c3070248e58ed3

SHA256
6cbc351c3768672414e2aa24aea08187df6c7c5121b322fb0f570b510f816b48

SHA512
0d3912ea22a022b39a62a66bfc8ad5372fbd6ff3289b47d1ea5631a531f3b4c588ffdc27542a38b419548e0cdb0415a3adbeb6a98d3bb89d776ddbcbc1d1af6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50c0abc436204d3710f2bb7590c890e3

SHA1
41d307b33c3f3beeee763915fdfb1a7b1768bbf6

SHA256
a825ced8e7436997107167197f7a6e7353000de04847630616a5f46ef7c7b8c4

SHA512
8d9cc4e3563d47e89b98b0e984c3dd15fd3178158f68edf87e9d0fdcf3f08f8a42d3179391feacc3003eb6651fb92638a1d18b749891912202fbc880340cca48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00f950e6a424222e164773cbbfb93b0b

SHA1
6c742b78632f4fefb2b47cc3ab5b3b75388cef87

SHA256
351487bfbbe78b430fcd878c8e8cdb8ee11601c2514fc55326d84c64d9cdee30

SHA512
4f3437aeac62b7ccd64a2fadc683544b6be2e3dc6b3d933db58a385d6e3ac47c9030bc9870b320e865b07e1209b7b59351bea703b295eb9f87216eb192f4514a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2d3be4e7d1140da60d00b75c8098f287

SHA1
895323d88e7dc4d63bee74858a59bffd688ec404

SHA256
79f236fe5d176249edc6bfa6f2d7538765ac51577575801666a08a4fc7c31297

SHA512
18f010e740d76e597db41dc93018ac4fd7f7eaba6b2d2861e0209fc1676c462d0680b4775b267640bfe8e793cc6422b1310a5c42a42d5578d1f856a293f4427f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5cf1346eccfb2d911e12b4d4bfe5a86

SHA1
06aa17b0ee03419b0da33a4942c71800263c5f97

SHA256
1461706c5e8bdfc7f8441e4e46139b91f77d030db1871614621f7e10949e8961

SHA512
c063940607deb700c1d80608c56e2e1d35099ff21781a5bc8827e386aea6b46811ffbbd7db58a2deada90759701aa60182e16484df5b03ed18a60bac3651745a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf2ef1fe7e6229bef517e701e4ed01c7

SHA1
dcdef76e36bf71303662f62987e0a0f8c47c849e

SHA256
452cf32046e2647a086a07a979308360f41840ef373a9d7d66b829ae2f6b31b6

SHA512
c4a5ac5688fab5ffec170ab78d272ac45218d6fcf80e494e22de2e3e3d7663ee1a83243656250d4d5a2b655ef8da65fd5d49ca80be02171656ab0c351227bf35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4865d45dcd7f448117ef59275ad1c6b

SHA1
d36f9e1756c426d139e9bdf2163757505164fbad

SHA256
5fc523eb95540dd12555fd1e473bfb98317c0130403efea8574bdfc3a0438d42

SHA512
9913659b3272e36da4ceba9f5e3d4ef55061a04607e6a8dff8314ec3dbde4fe57212a13402e2db56ddf73c17a9fbb2450f479947c983d54fdfeff80edcd5fc08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0f1fb37cebc7978fad3b40bab8c3f4f

SHA1
3e32d52f678b09de3adbee659d5ac758edb2815a

SHA256
c67ada1545e352bc5bff50716be86e7871fc65b287b0996c6724191fdf73bd7c

SHA512
639913120d15a6e41c3a82e8d9a8bac8a9910ca91566c8aec826a85b37025d671bb7e04006825a2dd0670c0a9484094b23e866ec20cc8f562061179eab19f63b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ff3665bc06e967a3bb2f47fc51bb96d

SHA1
b6d0fbbab9ccd179a63f030edfc6c48cea0d7188

SHA256
2c9d66365db28e5358c0430c14925eab30eb049e42348f6984ba9cac5479bdab

SHA512
1a9ae285ef03ae7b57abd092a06f8e8fe223bb09bec24e9419ce3c5a4e932ccfac1b25616c9191a15168cd1e0e2e08d06f4d1c72d5a74297b2bf40b21ec1d9bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
41b7f7d7bf1d2a8e5c01ffed4e0cae02

SHA1
37f7368387819a17722caa9ff1952647f39dce95

SHA256
f2cdf3877122f08bf0d663237bb96ba8e177f7450faadad0bf3d478d82eb3577

SHA512
dee849cc6801b261a5818f8e0f1f9eef1f9ad39cbacb5aa7c3ef75f648810688c6b54edf19a21c4fa909aed4c85f57cbf01aac7a283eda8ad61a4ad23daf3eb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66d544188f594fa8ecc7a67f267245e7

SHA1
1ff489615cd06eed1bf4261ba2af1ae3cdbf0306

SHA256
edaadfd80a1f5a64563da8ea339b150681b6a851c2f9a7495ad12084e174c9ba

SHA512
8787f1843aca07b58c2ddf02ddf0a81a358473a63d448e9c698985602e1c404e8274086fe8e010df78fbd9e3dcf681e5b68df5d27f8e5bf356eed5497b0098e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1325394a05affec56d9bfa48c3659f3

SHA1
fe6b8258df68965d97d666b6eec668fcedda27c6

SHA256
b23a136a17f3fbf0330d07539f1d5a9b46e1f02326e0b79f58885d90d9d6c160

SHA512
92eb1518ffac469057720e3508bb3b843c03d41f8f8f07c6dceab171ba06fa3158b4f047ad6b5693de04607198c2ccf2e8891b8d3b85b385e873db0e35bc3101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\976ec98c-204a-4fd9-a7bd-e6b4b7ef315f.tmp

Filesize
196KB

MD5
37f7ed2b0dc9b92dfb2ee89cca4f085a

SHA1
a329edd441a5ab5a768a5ce2bc7ed41519aa47f4

SHA256
6f39f26ffd96a94fb6f3d6f7b245b94d61311ad714185ba749ce65ec0322c503

SHA512
8f523bc2e49644500f7302cd25e211d4cfd6670da3b51ab32f7da2a3282947c6110af7c74974cbc306c1aa86db89ff5087a3cdcaf885bab4d107446dc15e07f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1015B

MD5
f822752af2e25fa32b411e5dc6e4d6e2

SHA1
6e27d74d73f6fc1652da093d0628478ca6ee17c0

SHA256
188825f83cc8081b70082a0e7803346c6840fefa8f0eb3b93ac86357074d8fd4

SHA512
ff6fe7ac20924f2f461f31cd6190059b33b0faa905a21c7996eb0588f83e2db39a3d34622b1126e80d0d2c8eeb83bd7b844ca8eb425c357c6c1a08e311d22c79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
656e582621f8c5416212be1b43acfe3c

SHA1
64be3513b67e32938cb5947cdd566bee93b63fac

SHA256
b05c4bfab33eb8a7a0413e07eba75d70460922eb5b382617e73065ac9e25da96

SHA512
5efcce39aeae3440a2cf3a1f780cf0599b25d675ae210bf6574ed3167b9188240280290e85311d1985a0cc4a1d611615a6deac4e069ce54739a272204ea8ea15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
9eecd56f9711c9db80c3170b276db493

SHA1
e2efe95b9543f0a19eb5b4c57ff4de969d214e07

SHA256
e887153a7c61548934b0707cbb05c3f48a4f07b5e4245202eda0f27df5c48533

SHA512
b545c04f3ae1ef56b99b049f5a8edb2dc34a3dfba80ef79a4e92e06ab3736fb875fc248582cfb5e1583733d11e142df8006e1a80dc8159feb28c86074a4aab91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab988A.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar98DB.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\Desktop\SyncProtect.xml

Filesize
322KB

MD5
5c393c676d569d81f484c9d82285edf4

SHA1
d0d0776d0813531ba84556e68b4632d8af17aa9c

SHA256
a83f7dc3aebb7768b5543035920b5fb13d7265b795b752b360e9731164fb688a

SHA512
17be35779419823446c4376a6ebca9adf2cf9c3b4b0121c911de388cf1a68e294bbcc5c9caa7d27b29e97aad032b1716f8aed085f814189d9e3e2ebc49ac4950

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
2KB

MD5
bf874ec63235c32f88b0eb201514fd3a

SHA1
536d13f1befe83a18d9e2f19abb3eae42e8e73af

SHA256
01685913fe57060344e498bf5a1059d122e34a6cfc14f9900704113a74f33686

SHA512
05fba09bd60caf67e98aa5fa474f02aaf4e64e6287e9695dd1375e2604133dd07647d461b6603372050afd3591219705177c2ed58e0627da0ea4f0b81a11df04

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
9KB

MD5
a73c12290f499dce803a290fa7a887f0

SHA1
35ff59dcbd01c71701e1513acd557205baf1ba6b

SHA256
238502549f64880071b80666dca10c736f125ce4d5c9cc01d2fdc6a1447311ae

SHA512
14b56bc63509eb2845c163d7f15e4c7eb7ca5314fc9572ed6b4323166068a13a148dbb57883c2303164e70d31eb9da86b9e961e70af73c26bd85a370aac5b83c

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
195KB

MD5
3fdd39220ab7f230fd00d46bc93d131e

SHA1
8b13405c86261f8b7556f8cf981bd7aa6200bf3d

SHA256
8a606cf4f4da8a1fc10f280abe59f62b31bdcfa339640d936144e789ac0ad0a2

SHA512
fc753aca53d3042e1966f5275548835899c9f9e0a42eea28484665aa51160cd147f4f4019808c22b61a2cf65fdec5601c683ae5a7c8e8d2f4129ef329acc55e1

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
4KB

MD5
cb821ddbbe3632a26b644da0a72c2566

SHA1
e01ee23205836dfaaa4272ce9a646ee052e73c32

SHA256
17d3428130a05d16f3a6a4bcdaf7539dadcc169f1707f60096040dab83d6732b

SHA512
a35c80f5b47c1c594ab21477676754dc45271e1daffbe52985aa50a07f32c976001027a9e7aee5cfc0d6dc101c17821f3362d4252bf98e7b761b85a943bb2f81

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
194KB

MD5
7c12b8cc4342f5426446998ba7162616

SHA1
45d739e53ce59ddc065955332ce31432c4391938

SHA256
4329a45de1e1882fa0acff813ef6bbff8ff3533ed81eef3ae8dcf9e4ba206470

SHA512
f656265b8a741b1c87263a92a2042f8d1a22ac13fee761cec77ec4ce9e2533fd1e1d893a9aae64ac2b32111734af481a5c6fc05763687965fba2c2a5b6881e81

Download Submit
memory/2936-4-0x000000001B0E0000-0x000000001B3C2000-memory.dmp

Filesize
2.9MB

Download
memory/2936-11-0x000007FEF4470000-0x000007FEF4E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-10-0x000007FEF4470000-0x000007FEF4E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-9-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/2936-8-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/2936-7-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/2936-6-0x000007FEF4470000-0x000007FEF4E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-5-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download