gafgyt | hxxp://172[.]234[.]18[.]50/NokiaWasHerebins[.]sh

Analysis

max time kernel
300s
max time network
311s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
05/01/2024, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://172.234.18.50/NokiaWasHerebins.sh

Score

10^/10

gafgyt botnet

Malware Config

Signatures

Detected Gafgyt variant 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001abbe-70.dat	family_gafgyt

Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133488930763928339"	chrome.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000d8cf3822362fda01b31a90a43d2fda01b31a90a43d2fda0114000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1292	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1916	chrome.exe
1916	chrome.exe
3984	chrome.exe
3984	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3480	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe
3480	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 4636	1916	chrome.exe	72
PID 1916 wrote to memory of 4636	1916	chrome.exe	72
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 1632	1916	chrome.exe	78
PID 1916 wrote to memory of 3704	1916	chrome.exe	75
PID 1916 wrote to memory of 3704	1916	chrome.exe	75
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74
PID 1916 wrote to memory of 4016	1916	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://172.234.18.50/NokiaWasHerebins.sh
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffccabe9758,0x7ffccabe9768,0x7ffccabe9778
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1836 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2856 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:2
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4248 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:8
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=872 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4672 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5072 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5488 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5448 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3100 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4836 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2936 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2924 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:1
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4676 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:1
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2948 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:1
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5920 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 --field-trial-handle=2192,i,13906919104879246698,1044164281445696752,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1552
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\NokiaWasHerebins.sh
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:308
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\mips
  2⤵
  PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
201KB

MD5
e3038f6bc551682771347013cf7e4e4f

SHA1
f4593aba87d0a96d6f91f0e59464d7d4c74ed77e

SHA256
6a55e169bc14e97dfcd7352b9bc4b834da37dd1e561282d8f2cc1dbf9964d29a

SHA512
4bee876cea29ad19e6c41d57b3b7228f05f33f422e007dc1a8288fd1a207deb882c2789422e255a76c5bf21544f475689e7192b9a8a80dc2e87c94ee0bc6d75f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
b555e4cc67fd3654e3b01ce46d27c05a

SHA1
61121105ccd6f52a3724a8035c266f0d5f30bf9c

SHA256
fee4ec30e1947961fb4d0aa3c5e9aa9f7e37df40938a0ced4a6556454762a1d8

SHA512
f6ead772e2175974efe332ab6db1062c5973dc98687cd8cd661fd79c7faa8806cfbdd7e1ea0cde30fc2d249234a6c1cca039a94d8eeaeba80d11c6229626a88d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d87c631ed1c47b59b762125c391fdf8a

SHA1
acb93d4b27a66b6f5d6f597955aa8b3f6548d191

SHA256
68c986937177a1d44ce0d6e72b9321f13f5822896ad07b82e7bcaf542b33c3bc

SHA512
73458ea7575d13b4ff03dbeb769ddb54e0cfe85a783fb654e109b55992c817cb6461c3b10f6d7262574c31d785e8e226567b0f05ae51afcbc4ba42685fcb11e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
ff9a4da9576fdc4276c0ee9acb562063

SHA1
d27efd716e5abd585a56225ff768e90ee88727b7

SHA256
c4a66a95a1c79f0a6f26c822b7021876773c4981e02e27bb58130f22bd093699

SHA512
f05352b78ffa64a6674d2318c795cfa5dbfb3d6322e096f5a2c7cd7a6de49908ebae1df3cb6f407ee2c7a5dc25c040fd9901547debb0b683a06ecd991b848c47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
05bea98f56f35e511e8992ea0160a07d

SHA1
87c28eb21e0675480e487aba77005c3b8bda30d3

SHA256
750a5b1f18645861a3047705005501f7166e25b75ef2fd7a71d4a7b70975c41f

SHA512
a8d0fb77203ad459a9aecf51bbd3ff5da07445cb0776b36c8592f038968cca1075df5381128d89ac87df7ed51afd9b3122888ccbbb6348cb2f29dd6590834de8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
df7f9c54f538265e4ac4a81397ee1057

SHA1
cc7328c0b1f06905b349a6046e3ab6fc58d464c8

SHA256
cef373d39d8f2771dab5178f5ca678a09ce9ca858e06ed94574b9c892e05eebf

SHA512
c7db37ed6e23439e97883295deaec97f2733030307b8cf0907edc0eb1379920bdcf96286c7e88b3bdd989a1b23cea56c79a776039b43a00030d0aaa959f86896

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b07d688eed0e098f71134eb3cf6c125b

SHA1
53382222b6f98f2294c1e73e65f9b802292039c6

SHA256
cfea7b1d3304984b1d292706477f87e1c58f08a6d58717dabf5a9915f90cee52

SHA512
2acdba469b06aea64afd49ed9f110348ca8b17c42dea895ff0e5ab72f93ebb8509f98f2897f182f984f9a780eb60c05536b621fc93b79037b571acbca4f854ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
bac9d15f58c4bfbe1a8338795ac9f103

SHA1
f13de434ba1189111542a3085cde628296a39382

SHA256
d6e86e09af64cbb82090b09b150056e7e848c3bdcfd5e27d09c451f38b7cca4b

SHA512
d0146f9797c817be26f62ab50f49250d07f5de5d563d6d0947d9ad5b4c8462626dd86cd891a2de345f6a4e47275baac0c55824fb3d72d01afc90485cc7427e94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
90f8b0c1dda97b8d516bd8d905243c0c

SHA1
0cb1e959923ffcd53af3cadf4a3f886ef28ccb08

SHA256
37c069d709f42c667e99b1a78073ca431b224b102701d4be1868f8fc10786676

SHA512
e805467430f00818bbe669bd31c74bcf40667677075e284e4b9253626c1e8eafe50567547215196819157f168fdc88b45a525f319a0a2e92f5e246f2b91be1f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
94bcb61c3e704e21f6c89533c1bd36de

SHA1
b9769617e2136b95c12993e83c86ac00f21a98a2

SHA256
d074f8e10ba9592cea1d2497644a28570f3df752159f028a63630d039889d732

SHA512
18f837b1e6294f77cec0bb10d8142309b699ce7d21902061ccbca204790f8108d4fc3d406f0dbcd4d710625ce449ade73cc893a08e5672729df073e36caa3ab9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
d25c100c45d7bf0cdb127efaa5129bc9

SHA1
b24d89e7c78952d803e94e2ce0bbe99bb937ca4f

SHA256
db9b5a6074a2d0115a03ddecb64c815b69f55801b53235b1c02ac0248388bb8b

SHA512
620c3c50650758d84cad4474fb62e780af8d6fa4a5eb5ccf786c1eb18671b5d1934bfafd56781fe440d9c04e8eb5e6d44912b43078f2d5b1265013a567588924

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
20332d061d1b298b386fb890a234f7dd

SHA1
0f0c7186b8d548910b82b9962a7da30dedfb76a2

SHA256
d9a05bfd6f08e66dbf904cb91369053639fe46e3844526b3af6144c72813ab91

SHA512
2d01812bc8c50bdc77905e546ad7ae662deab0134f91a865d1512e2b904282c9d818f47b84f0c4989b291525048468f827e45ea7f24de0c935ff1df484eb468d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
b06d6212472edc6df6f6ee695bdc717e

SHA1
99005868bd92929e6ea93127754124b03d94994b

SHA256
5d8e0937baf2ee45a7646d1b1b85467e38ce406dafe627e2e999e38056f89c42

SHA512
78cf3e278a242398b19712d4d074b586cdde9abf31d60365861f5075538648f555543e8272816f586323a68cd8fb1ec9c7d930c01e3849374842655d9ad0a8ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
86818863ac1488e298d3d6e38a7d5f29

SHA1
8604f14dfc5bffacd51be7d3f0fa45c5e8b4ba1b

SHA256
408b75b15c44a53b167a0af71555ecf62e14545fcce1f62446c497465d17ab81

SHA512
517ee6b92e187f2c7db5f69d0be4281001f16abe5402008f9c74e8c3a35265f17d557855c293c5beb0c217b2cb080272288c66271351c97e8d6fa7c3cc2977bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a6acb6aa90a0f3155d81b2cd922ae5b5

SHA1
77fa78070c8e3f4b572847d1956c9e17085ec22c

SHA256
947eaed98b4d1f84880263b923b5024f02aa93b030522a4a3211a5df467f3045

SHA512
b2412ab23656464545855abef4d657d8ad14f9cb63fa6b9549ae1fe5e14ff236efbbcf20da2b136ba58a8660546cc8a8fc443187f7357b2971d573e507c92a76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6dd9405456eb6165b47156c0f4a50ccf

SHA1
634e1e396e404de7a44e188c9ebed9fd82216293

SHA256
d777c2a44de78f6fa5494dbc4afcfd71d78c85c221ad63ff980624d550ed5aa9

SHA512
b1b7a88c77453586e695539b187ec156f79475b73f10c2f825efbd8753fd7e062ef99b91bea9de9b3ac60b6954628ca344bfd12889f672bd7de6a552aed84d26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b838e22dffecaf1a7bee31887addc733

SHA1
aa71c23a4f3699dcb3d0ee520eece22c9596cd90

SHA256
e31a9950dca3badaf42d254970090fa6e2d27326dd6554e49afc27a067cf78a2

SHA512
a782f1c84ec08513c6878051b418b476bfcf655cd426a9a6c0427c029af40f9265b9f90a018156808456d3b5710623892f7838e19cb35eaeafca73feb762f128

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d3e2bec771192ebb9827a55ccd01aeae

SHA1
43bcd80a69ce49e9a438a02c176753c50f9c0ea0

SHA256
d2f9b106477606b802dcb28c3bb8e5e6449b7575fb1877a32988d18662227468

SHA512
e63300c82d956f0aef02828f5692bf5f79efffb0322b51f1a05128339ff34345b8a9f65cd5247a2a28cf15657135d4d4992f0cdf00f066440c0201fc82227b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d4341c798460c82e207851f584ce887e

SHA1
c05be3e30539e9b5a9d50cd4cd1e452f8652e844

SHA256
f7439d9f399a12985b256977fa289dd2a7214758c31534e39f85ae068efa3662

SHA512
1761f2e7f5ee8da687aba22301206f2ab838941035be5443971fffd26b5dc8667cd2118ea0eb9ac9b6d90742608cb8f9e8547d96f424fd09586a611f523a6cda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
85ce3bfee3a082d6444be6bd3b7c1e72

SHA1
a766f6a785fd140175d1850b029bb0fd9575a5a8

SHA256
dae827742d6a7b2a0fd9b03b27cd96d0c97ba8c2b52485500ae4dfd39de042eb

SHA512
cfad4763f0dbbef7402102aa8c5ae143572c50cda34ab2ec0d91c6812db47e64ed6ecb2abf20c7a003ca902bc1aa2de2a75ec048fdbd35bd614ea520e3eb206d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
192c38bbfb1edddcdbcf6d00cb5c5ee5

SHA1
5792afd17805d2a89c937624ff96b5f83383bb68

SHA256
706cdbabf7f9753e12dca323bde6fe580baa80abf109ac4b7c2d89026e096b1d

SHA512
1b833b6b298f7a5aea039db2ddd0f1ee0ea7fe481e71dfaf2d7ab921de13e1b32794effb89a71244c5894f4af23099d89d3fa44f98d695fb963a9a7d2da30576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
334f7b57c20ecfb06bb3128420d848ea

SHA1
ff5f27363d40446a8b46d47420f7898cc8d423c7

SHA256
70c12b120963c2b4ca46c71d003fd031cb5cd0c87d8b9ac61e09a619b883bcef

SHA512
8976a276c79f1251bfbe3746b95c1772aea70a991f209d797b624dc842a83f14019d26f2f6efe0eb7b7467bf3090453b099bf6a8871694ceeef6bd9689c174db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a71c6.TMP

Filesize
48B

MD5
720b2eebac76f8cf34286e013d1ed811

SHA1
e63fef22850a6fae6911c7b1382e3e4799b9c8b9

SHA256
0bf9483fcef799e059ac611f4f774f577aa578cf13ecb5e13dd8e7ad914bc746

SHA512
7185ef4bd6fb5f2306f206e95462117fdf13a3caf005d58b4c1f4591fa7c31f2c2324f9bf437fd334dc3c77b8e600d3f3d7ce3af54da329f0922f50d7b3ac89a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
eb3240696fe9e5279f105e19d3c1a74c

SHA1
a8e21d01d062d94b6c02d3ba0d30930f79789629

SHA256
728cc347d6f579365d2696645539cf731d56894f8a6843f39377a48e859653ac

SHA512
ae230bee984277d2fa258e93c163effcb5d833c0fe728609c351fe9eb2f97190d6c45238db7bb0e25c20cbe7d2ea445fcf7905f75005bb11f4be29902faaa1e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
144edcb9108b0f304edb69ad3152e87a

SHA1
ca887da3cef2e4d515aa306f13e0e05540481b89

SHA256
d6b52fe259cc4a22a4ce1c9d815b78cd36dd0a7cee47e29a88945ee3b578433c

SHA512
2fa044d33ece49364c0393b854d5e08d582e5a49c1bb5f632709561f376f0260e23215f003ac9696429d02fa6a18a7b7474105052fecebf1d27bfea7da9acbf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
55494277f954732b6084805c0e74fc55

SHA1
70369231e7362c659ae0c45914076008b00d5a30

SHA256
5e0c46e4c69efb741fae0b35f8c973d6bd5e490ff41d504b3dd4060cf2812b69

SHA512
480e7bd3b443a3c78c144ebbf17f62a868c3ce2e7a4fdd20120ad540bb4d8394b6c5599ae1e7f2e97df363611f12fa9014fb811e857eb52b9599489e5f44085f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
1bc46048fe9f0d8c14519164e80e15ad

SHA1
e332ce569c5c46e8ed8babb2b05794eca39928c4

SHA256
3c2ac0267129d9f38aadef16f6b52d2cfdb5ffa9652a4b9d48e709c5382dee92

SHA512
0869331349cb048ec6c72b817ee5e55652e1e4fadea3965f6967c35742ffc07184310d041c0f741ffdd43cc56a1176ce4ce5627e779278cc64c022f1d0feed4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe595039.TMP

Filesize
102KB

MD5
bed3f5674f0a8742157d4318b7759fa2

SHA1
fe0da7134b3cc51b048e3640bdf138ac984dcf57

SHA256
739ff3cf02f9c0f9ba7a8e4781f69d569a0422c7ade2c06cf62b721f41cbf9ab

SHA512
092667749dfb77956b8f6be6189521ae7e3a83f7752848b4ff942a13e88fef5ff86ed4835ae453f0a65bc248bf822e37d97611a4d3c42fe9ae295afee1977cfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
14KB

MD5
2e705a0902d6500194238f54362e4c8b

SHA1
d11cf36b7c50a6d84b3a76fe03c21806f4d4e7f0

SHA256
1e8460179e1a084b346955913c230e79703fa637c33f37047272e8a7338fd234

SHA512
72adf0134bd5f77ad4cc8efa4f16568c37a88f8d794b3d81c370a37ffd7f267aa4d55e899e5484a8df4e56e0aa615e483be7cc7626b77b50ec5dee5942ad5ad8

Download Submit
C:\Users\Admin\Downloads\NokiaWasHerebins.sh

Filesize
1KB

MD5
e5711369f5e736b94c3d411e35a86610

SHA1
70e855965fe1bc7ac625fd91df26a16522fe1686

SHA256
9901f1afeeac11186f031871680962d1dee357e8fc97a18e18e83ca24c4fc383

SHA512
062b23951ab1e8085694ff07858185f16498172df3c38bc4536537df7042b15173b73a2ccdaf2bc83c5e8be32a0e87b7ddcb348bf6dfa01efd6dfedb5f1f650e

Download Submit
C:\Users\Admin\Downloads\mips.crdownload

Filesize
151KB

MD5
748c8858fc4f70419300d909183b02d9

SHA1
79f1c88944bd6154597b3d9f77695e32491a210b

SHA256
6e5a32059548202a6e48aeedd13eeecb8c4e50844594e8e7e9408623ec88d232

SHA512
258d9fa33c9527d6df3467fae6cffb2d7ce2ea30db0a94dd4caa22ae93c5421aef744163b9dea09451fb040fb87b6b9efc1641e94fe64976be441469d88674f9

Download Submit