troldesh | 7e82168b3d2a5318d489acf0bd260dbc6d622248ef752d600d18ca69038c64db

Analysis

max time kernel
885s
max time network
850s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18-10-2023 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ransom.js
Size

5KB
MD5

a724f9e28bac9aecafd3f89648dd2cfe
SHA1

5299483e34930b25d878bc2fa9bdf04406ffe0d4
SHA256

63228f8c6d0944cff64fae26d3694bf1efd1a3d5d08a11cd4bfcb5cf19d6fc54
SHA512

70a2bb681b3d7e5e5fb24ba9e071ee5b688d8a9f557d70f371dcc706ed50bb8945605862e30c13fa242a340c075e8618da114f73baba7ba60e491f7410b562ac
SSDEEP

96:ARW/UCeBiP7xcaDz9KkpTWC1lazQnP4HblO+:Ak/UV56kCTWElbP4HhR

Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	2756	wscript.exe
7	2756	wscript.exe
9	2756	wscript.exe
11	2756	wscript.exe
13	2756	wscript.exe

Executes dropped EXE 4 IoCs

pid	Process
2908	sserv.tmp
1448	sserv.tmp
2072	sserv.exe
1392	sserv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2908-391-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-392-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-393-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-394-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-395-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-397-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-402-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-403-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/1448-407-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/1448-409-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/1448-410-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/1448-411-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/1448-412-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/1448-413-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/1448-414-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2072-417-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2072-419-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2072-420-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2072-421-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2072-422-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2072-423-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/1392-427-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/1392-429-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/1392-431-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/1392-430-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/1392-432-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/1392-433-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-436-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-457-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-458-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-462-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-464-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-468-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-469-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-472-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-474-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-476-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-479-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-482-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-484-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-488-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-489-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-492-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-494-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-498-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-499-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-504-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-502-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-507-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-509-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-513-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-514-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-517-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-519-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-523-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-524-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-529-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-527-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/2908-533-0x0000000000400000-0x0000000000607000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	sserv.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	sserv.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png	sserv.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml	sserv.tmp
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png	sserv.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	sserv.tmp
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js	sserv.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png	sserv.tmp
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png	sserv.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png	sserv.tmp
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js	sserv.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Flyout_Thumbnail_Shadow.png	sserv.tmp
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	sserv.tmp
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png	sserv.tmp
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	sserv.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\platform.ini	sserv.tmp
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml	sserv.tmp
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json	sserv.tmp
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\RSSFeeds.css	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\main_background.png	sserv.tmp
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js	sserv.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml	sserv.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css	sserv.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	sserv.tmp
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png	sserv.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml	sserv.tmp
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\settings.css	sserv.tmp
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\RSSFeeds.js	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\slideShow.js	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js	sserv.tmp
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png	sserv.tmp
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\timeZones.js	sserv.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png	sserv.tmp
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png	sserv.tmp
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png	sserv.tmp
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\settings.html	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png	sserv.tmp
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png	sserv.tmp
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png	sserv.tmp
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png	sserv.tmp
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js	sserv.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif	sserv.tmp
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv	sserv.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2088	vssadmin.exe
2320	vssadmin.exe
2544	vssadmin.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\tmp_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\tmp_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\tmp_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.tmp	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.tmp\ = "tmp_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\tmp_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\tmp_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\tmp_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\tmp_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\tmp_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\tmp_auto_file\shell\edit\command	rundll32.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\171F386936C6DC7797C64B4725F49212C928B565	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\171F386936C6DC7797C64B4725F49212C928B565\Blob = 190000000100000010000000ad89e24fa7adcd74f2193ae46bfb80240f00000001000000200000008f354431980b2f2be6451a48df599dd6c999518b0565dfde3368f9319e12f431030000000100000014000000171f386936c6dc7797c64b4725f49212c928b565140000000100000014000000c17450d7de64b2448dbb56745723fc978785be872000000001000000f9020000308202f5308201dda00302010202104a3ca497a3726e9d0224544e6c82f937300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303932383230303030305a170d3238303932363230303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd3dc4e7396de89caf66bfcdf614affe534624280d366d071e8a0cf91daf271196107507f85c3231b92c725430c8a0f83150b7ee5569761422f4b41b17c0932f08557d86f77a89220903bdaff0dc386ae3e1c2abc1df0ff06bf7546079a344d4198a69a6f27d0e7e05c1ad986c5124ac6549f6ce82d87b702df225f035ffbd713ac11f20896d271d94c5a00029aa6f5e3b1ebc3be1d3497a61b815fed4763b3d015f0ca28b405ff278c8141c9467d5075fb0640f2a0db04ed50a75c535eebf7976e42e5d8903ee2a902cd97a28566e6c5b6ed2537f4ca88fa5cc73b28a65944e454179e9cacfd2da9e7dcd4bf05cddac98a0ac0bfd48a8ae717b5c42a7712ffb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414c17450d7de64b2448dbb56745723fc978785be87300d06092a864886f70d01010b05000382010100bbd0e0c8c9eac837b5fcfa0e4514f012e1befdc06227052fd907457d52c6425ba34280dc6c35ae4d2422ebc4d82c328f222e44955a1a5578eb5e8fb21cd05e9d39f7c73a3671b41cf6d2e1c6c13b71d96d2907c4cc38cce58486beffd1ae29064c445c989e7a503723f4ae3126a7697e8c98fe606be6e7708f17c444db7d6b89ed1045d6cd5918edeae1d1f3d417941a5551f545ec0432fe8bdc7cc142e8a743d041a4547be267f050b995df1182c2f518ea740044f6e55ea0c29743a0dbbc08f9cf803f7b366484630b5a1f2c9135decb6ccd1596f712f11f41bb1ae723526c63351df244b4348f71aef4053b1afad3423855c8bf7a4975566352f7dfa2de86	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\171F386936C6DC7797C64B4725F49212C928B565\Blob = 0f00000001000000200000008f354431980b2f2be6451a48df599dd6c999518b0565dfde3368f9319e12f431030000000100000014000000171f386936c6dc7797c64b4725f49212c928b5652000000001000000f9020000308202f5308201dda00302010202104a3ca497a3726e9d0224544e6c82f937300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303932383230303030305a170d3238303932363230303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd3dc4e7396de89caf66bfcdf614affe534624280d366d071e8a0cf91daf271196107507f85c3231b92c725430c8a0f83150b7ee5569761422f4b41b17c0932f08557d86f77a89220903bdaff0dc386ae3e1c2abc1df0ff06bf7546079a344d4198a69a6f27d0e7e05c1ad986c5124ac6549f6ce82d87b702df225f035ffbd713ac11f20896d271d94c5a00029aa6f5e3b1ebc3be1d3497a61b815fed4763b3d015f0ca28b405ff278c8141c9467d5075fb0640f2a0db04ed50a75c535eebf7976e42e5d8903ee2a902cd97a28566e6c5b6ed2537f4ca88fa5cc73b28a65944e454179e9cacfd2da9e7dcd4bf05cddac98a0ac0bfd48a8ae717b5c42a7712ffb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414c17450d7de64b2448dbb56745723fc978785be87300d06092a864886f70d01010b05000382010100bbd0e0c8c9eac837b5fcfa0e4514f012e1befdc06227052fd907457d52c6425ba34280dc6c35ae4d2422ebc4d82c328f222e44955a1a5578eb5e8fb21cd05e9d39f7c73a3671b41cf6d2e1c6c13b71d96d2907c4cc38cce58486beffd1ae29064c445c989e7a503723f4ae3126a7697e8c98fe606be6e7708f17c444db7d6b89ed1045d6cd5918edeae1d1f3d417941a5551f545ec0432fe8bdc7cc142e8a743d041a4547be267f050b995df1182c2f518ea740044f6e55ea0c29743a0dbbc08f9cf803f7b366484630b5a1f2c9135decb6ccd1596f712f11f41bb1ae723526c63351df244b4348f71aef4053b1afad3423855c8bf7a4975566352f7dfa2de86	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\171F386936C6DC7797C64B4725F49212C928B565\Blob = 140000000100000014000000c17450d7de64b2448dbb56745723fc978785be87030000000100000014000000171f386936c6dc7797c64b4725f49212c928b5650f00000001000000200000008f354431980b2f2be6451a48df599dd6c999518b0565dfde3368f9319e12f4312000000001000000f9020000308202f5308201dda00302010202104a3ca497a3726e9d0224544e6c82f937300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303932383230303030305a170d3238303932363230303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd3dc4e7396de89caf66bfcdf614affe534624280d366d071e8a0cf91daf271196107507f85c3231b92c725430c8a0f83150b7ee5569761422f4b41b17c0932f08557d86f77a89220903bdaff0dc386ae3e1c2abc1df0ff06bf7546079a344d4198a69a6f27d0e7e05c1ad986c5124ac6549f6ce82d87b702df225f035ffbd713ac11f20896d271d94c5a00029aa6f5e3b1ebc3be1d3497a61b815fed4763b3d015f0ca28b405ff278c8141c9467d5075fb0640f2a0db04ed50a75c535eebf7976e42e5d8903ee2a902cd97a28566e6c5b6ed2537f4ca88fa5cc73b28a65944e454179e9cacfd2da9e7dcd4bf05cddac98a0ac0bfd48a8ae717b5c42a7712ffb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414c17450d7de64b2448dbb56745723fc978785be87300d06092a864886f70d01010b05000382010100bbd0e0c8c9eac837b5fcfa0e4514f012e1befdc06227052fd907457d52c6425ba34280dc6c35ae4d2422ebc4d82c328f222e44955a1a5578eb5e8fb21cd05e9d39f7c73a3671b41cf6d2e1c6c13b71d96d2907c4cc38cce58486beffd1ae29064c445c989e7a503723f4ae3126a7697e8c98fe606be6e7708f17c444db7d6b89ed1045d6cd5918edeae1d1f3d417941a5551f545ec0432fe8bdc7cc142e8a743d041a4547be267f050b995df1182c2f518ea740044f6e55ea0c29743a0dbbc08f9cf803f7b366484630b5a1f2c9135decb6ccd1596f712f11f41bb1ae723526c63351df244b4348f71aef4053b1afad3423855c8bf7a4975566352f7dfa2de86	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wscript.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
396	NOTEPAD.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
2908	sserv.tmp
1448	sserv.tmp

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2732	chrome.exe
2732	chrome.exe
2908	sserv.tmp
2908	sserv.tmp
1448	sserv.tmp
1448	sserv.tmp
2072	sserv.exe
2072	sserv.exe
1392	sserv.exe
1392	sserv.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2908	sserv.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe
Token: SeShutdownPrivilege	2732	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
3004	7zFM.exe
2600	7zG.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
2908	sserv.tmp
1448	sserv.tmp
2072	sserv.exe
1392	sserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 1528	2732	chrome.exe	30
PID 2732 wrote to memory of 1528	2732	chrome.exe	30
PID 2732 wrote to memory of 1528	2732	chrome.exe	30
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 464	2732	chrome.exe	32
PID 2732 wrote to memory of 2148	2732	chrome.exe	34
PID 2732 wrote to memory of 2148	2732	chrome.exe	34
PID 2732 wrote to memory of 2148	2732	chrome.exe	34
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33
PID 2732 wrote to memory of 1376	2732	chrome.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ransom.js
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6979758,0x7fef6979768,0x7fef6979778
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:2
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2120 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:1
  2⤵
  PID:300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2128 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1132 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:2
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3316 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:1
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3764 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3448 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3944 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2328 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:1
  2⤵
  PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2696 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:1
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:8
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3984 --field-trial-handle=1212,i,1039764396156493228,16608420457864961860,131072 /prefetch:8
  2⤵
  PID:2336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2392

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\xoA4UIdV.zip"
1⤵
- Suspicious use of FindShellTrayWindow
PID:3004

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap23600:78:7zEvent27013
1⤵
- Suspicious use of FindShellTrayWindow
PID:2600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:1076
- C:\Users\Admin\Downloads\sserv.tmp
  sserv.tmp
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of UnmapMainImage
  PID:2908
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\system32\vssadmin.exe List Shadows
    3⤵
    - Interacts with shadow copies
    PID:2088
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2320
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\system32\vssadmin.exe List Shadows
    3⤵
    - Interacts with shadow copies
    PID:2544
- C:\Users\Admin\Downloads\sserv.tmp
  sserv.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1448

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\sserv.tmp
1⤵
- Modifies registry class
PID:2408
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\sserv.tmp
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:396

C:\Users\Admin\Downloads\sserv.exe
"C:\Users\Admin\Downloads\sserv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2072

C:\Users\Admin\Downloads\sserv.exe
"C:\Users\Admin\Downloads\sserv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
41eaff583aef3ee0dc6501b5d865fe9e

SHA1
5f2041f3b66faaa5926473afe2bcf4426e0ced14

SHA256
75f5171ee682c2b41ddd55880dee8247db22b3cfa4c13e00cf24c632b9efa154

SHA512
70ebf8e0469225133030600ed1ddbe3ebe5f5e977d187c70396a3171492764ae1478a5def59f410263922c113899739e56b5f34c42e6a3c8f56e8cc77abef31d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
01af2559c300140ea7e50bdc6088e80e

SHA1
5ceacc32fba2229b444395c7fdac6e4e0404c0c0

SHA256
2c81cacd1385254e6100e506df7e61dac22a4e9456154223bec1e0a560202988

SHA512
ec64d3d5467cdca3943847c7072e717057e4d9f6a00c69ab18712221135169b0f297faa6644531b98850e636defda29f110a9391c9fede070d28bac7acbfbe90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61f4196b0dfa01b4ee868b7bdf787052

SHA1
e910013d5eb1287588acf2487fd8dceef89edeb1

SHA256
ca7ae0ddafe1e6530e372321df597aefbace3958eeb72eac4145fe364fcc6713

SHA512
8940ca7d978b17b6236febcfbbbd22ed9f2ef4005601bcb02d57562631d4d52170f0708c4fc8a9ecdeeae04b959e2f27446c6f0cd0558aff3855759c9eb3e2b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
525a1534333a2c6921dcd02e942ee42e

SHA1
58d2344366108745132e495d6f3fd56358f3208b

SHA256
a882b9ea8d1abd68194d6e66aafd5fef639d3e1e1a7e7b0ed48e565ee53093ae

SHA512
5418ab0f56fc9ad0b3e3cd0abec8048577b0c76a1963aa12cb938a2489679d18977177b607b92bbf6798cd12417047486aa74b93851aa847a2e6992e5586650f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3ef1c010370042c48f814ce5495316f8

SHA1
339e842c747cc3c324d780f05136a8ffe497043f

SHA256
0b54b815df8c04f6c27de8a96c1cb3f6e84bcadd3c193a0c3233da34e801f2b4

SHA512
5142bdc822ad098a8ec35fe6095039e01cc7bf54e7525a28391ddcecbfc3475b87e13a2a4bf8e88a5ff4dcf463fe337cf4a97b75c3f08916735902bff2042614

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c418e2690b0c249036adeb7b0e4f3c13

SHA1
9eaceb3726fea7bceb7c67413fbe380b3a1ada7e

SHA256
5b4256b3784322443ec073fc95454f62103ae59c87cf052926ba45b88be8ba8a

SHA512
e822cb1d2e5bbeef7f4addb71802851ec0a6b547bc45b3a7044aae8f7a1b876e3117a75f13cad0d72acdc8066dec27361a2b5ab6116adb232dee49a43d9e8cd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
34505eadfa8cab6a1822b73a1a4f8424

SHA1
a091e0749183b3db00552435fd09cd91741ecbd2

SHA256
2d668b8e61426b08f342c67133d4a48c8c355dff98b9652c45eaf515a09f2b1b

SHA512
5a64f4ca393e95a57a53f55e1103ceccce98d3eb50236df05a2fec4dd04e9c4c6b1ed5d560f69f319dbcf4b05035afb0a153aebd1b3b1c591ee8346fa9d1f976

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
03d382d880b76d434e1a479b2a2a7f01

SHA1
969ea28115edaf309eacdb8058c1ac6982584edd

SHA256
7a9c5a398f5221cba2c33747bb3495773d292ab899012fa907db6fbb87285c0d

SHA512
a12a4bfe959e651a5a80f56d99019c6d1d8fb4e861f7d3675ca86a7f8f93767be24b42433d37f960fa4bc8e9e2dec787d8f9e7785edd8d9394770c24e316a5d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
83KB

MD5
2520d9bd0d64336e2c5fbb7a4f2a0b8c

SHA1
ec56d88af189c1fe39a718d79a88c97e8bcdfeff

SHA256
7e02f8aacaa7a702d011dcf18ab2a0f3cb0d1e39c7e486b5073362d3e420c757

SHA512
6b1e955056e99908479a3bdd198d0f9f6281a6f3954852d72c60396557a5c14c2cffa40b4d10c72111f0035f512d6963290676018cffc709e0af94d94a990115

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f3094b5b-ce10-4ecf-8275-b3e99af9ed85.tmp

Filesize
199KB

MD5
384903de290e606391c3102f1f2b3a28

SHA1
0a47a6d3c79789fc10a47138e6a755df1ff0ff76

SHA256
17a858c6b085c9f0d41257498d261b390e93c724660d0bb0c0fe106c58a9a433

SHA512
e73437a1fef9af3ffa955c2e50a308c638b1fab9523a235e1e4fd3cdebf0be1ee5c27314d73f88c8940d26974e53fdacbaea0cbe8066a65bc622dc23f7584326

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3DBE.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3FC3.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\Downloads\sserv.exe

Filesize
1.0MB

MD5
ca84fed65adf022bd0d2477ebcc2329f

SHA1
2cfa335779f1231f8df2f1de958dcefdfdd70a13

SHA256
f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b

SHA512
0f6b92c1d5f2958ff3edeccfeb33c41237c2279a18f87105ce04e7657ee2043b555e9191335f01d3a09a9dd689bb16b3d6015a6ce17622177d9bf54a913fd928

Download Submit
C:\Users\Admin\Downloads\sserv.exe

Filesize
1.0MB

MD5
ca84fed65adf022bd0d2477ebcc2329f

SHA1
2cfa335779f1231f8df2f1de958dcefdfdd70a13

SHA256
f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b

SHA512
0f6b92c1d5f2958ff3edeccfeb33c41237c2279a18f87105ce04e7657ee2043b555e9191335f01d3a09a9dd689bb16b3d6015a6ce17622177d9bf54a913fd928

Download Submit
C:\Users\Admin\Downloads\sserv.tmp

Filesize
1.0MB

MD5
ca84fed65adf022bd0d2477ebcc2329f

SHA1
2cfa335779f1231f8df2f1de958dcefdfdd70a13

SHA256
f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b

SHA512
0f6b92c1d5f2958ff3edeccfeb33c41237c2279a18f87105ce04e7657ee2043b555e9191335f01d3a09a9dd689bb16b3d6015a6ce17622177d9bf54a913fd928

Download Submit
C:\Users\Admin\Downloads\sserv.tmp

Filesize
1.0MB

MD5
ca84fed65adf022bd0d2477ebcc2329f

SHA1
2cfa335779f1231f8df2f1de958dcefdfdd70a13

SHA256
f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b

SHA512
0f6b92c1d5f2958ff3edeccfeb33c41237c2279a18f87105ce04e7657ee2043b555e9191335f01d3a09a9dd689bb16b3d6015a6ce17622177d9bf54a913fd928

Download Submit
C:\Users\Admin\Downloads\sserv.tmp

Filesize
1.0MB

MD5
ca84fed65adf022bd0d2477ebcc2329f

SHA1
2cfa335779f1231f8df2f1de958dcefdfdd70a13

SHA256
f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b

SHA512
0f6b92c1d5f2958ff3edeccfeb33c41237c2279a18f87105ce04e7657ee2043b555e9191335f01d3a09a9dd689bb16b3d6015a6ce17622177d9bf54a913fd928

Download Submit
C:\Users\Admin\Downloads\xoA4UIdV.zip

Filesize
962KB

MD5
f2389300f02735e1433f53a54e1bd837

SHA1
e79dee1fea723a7733d8defa51de192d76c266a3

SHA256
0cb0bd35a71ecb17f0b142c75ffbb808de4f585ffb44e6d115e19c4332364e1a

SHA512
1671963b28c56ae39a6ec9f53e455720c2a200aa014010d4f2df2c094e830f5330a7e73d4c5670b8a9ebe2d6a9d371c815b13511c27b2c040be327e917be0a41

Download Submit
memory/1392-433-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1392-432-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1392-430-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1392-431-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1392-429-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1392-427-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1448-407-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1448-409-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1448-410-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1448-411-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1448-412-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1448-413-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1448-414-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2072-421-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2072-422-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2072-423-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2072-417-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2072-419-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2072-420-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-391-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-403-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-402-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-401-0x0000000001F80000-0x0000000002054000-memory.dmp

Filesize
848KB

Download
memory/2908-397-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-395-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-394-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-393-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-392-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-390-0x0000000001F80000-0x0000000002054000-memory.dmp

Filesize
848KB

Download
memory/2908-436-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-457-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-458-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-462-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-464-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-468-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-469-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-472-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-474-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-476-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-479-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-482-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-484-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-488-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-489-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-492-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-494-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-498-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-499-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-504-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-502-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-507-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-509-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-513-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-514-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-517-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-519-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-523-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-524-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-529-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-527-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/2908-533-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download