phobos | hxxps://bazaar[.]abuse[.]ch/download/000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46/

Analysis

max time kernel
162s
max time network
493s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/download/000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46/

Score

10^/10

phobos evasion persistence ransomware

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>1B9B7FEC-2803</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

3328 bcdedit.exe
3428 bcdedit.exe
4012 bcdedit.exe
4084 bcdedit.exe
Renames multiple (58) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

3644 wbadmin.exe
4032 wbadmin.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1824 netsh.exe
2204 netsh.exe

pid	process
3328	bcdedit.exe
3428	bcdedit.exe
4012	bcdedit.exe
4084	bcdedit.exe

pid	process
3644	wbadmin.exe
4032	wbadmin.exe

pid	process
1824	netsh.exe
2204	netsh.exe

Drops startup file 1 IoCs

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Executes dropped EXE 2 IoCs

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

pid	process
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
772	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46 = "C:\\Users\\Admin\\AppData\\Local\\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46 = "C:\\Users\\Admin\\AppData\\Local\\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-928733405-3780110381-2966456290-1000\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-928733405-3780110381-2966456290-1000\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Drops file in Program Files directory 64 IoCs

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msader15.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdfmap.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages.properties.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\GroupConfirm.ps1.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.dll.id[1B9B7FEC-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2444 vssadmin.exe
3432 vssadmin.exe

pid	process
2444	vssadmin.exe
3432	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

chrome.exe000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

pid	process
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
3028	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

chrome.exe7zG.exe

pid	process
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2780	7zG.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2644 wrote to memory of 2748	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2748	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2748	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2596	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2800	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2800	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2800	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe
PID 2644 wrote to memory of 2728	2644	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/download/000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6bc9758,0x7fef6bc9768,0x7fef6bc9778
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1224,i,9609464373815848951,16938688974128429275,131072 /prefetch:2
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1224,i,9609464373815848951,16938688974128429275,131072 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2184 --field-trial-handle=1224,i,9609464373815848951,16938688974128429275,131072 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2176 --field-trial-handle=1224,i,9609464373815848951,16938688974128429275,131072 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1224,i,9609464373815848951,16938688974128429275,131072 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1348 --field-trial-handle=1224,i,9609464373815848951,16938688974128429275,131072 /prefetch:2
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3244 --field-trial-handle=1224,i,9609464373815848951,16938688974128429275,131072 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 --field-trial-handle=1224,i,9609464373815848951,16938688974128429275,131072 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1596 --field-trial-handle=1224,i,9609464373815848951,16938688974128429275,131072 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2316 --field-trial-handle=1224,i,9609464373815848951,16938688974128429275,131072 /prefetch:1
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=716 --field-trial-handle=1224,i,9609464373815848951,16938688974128429275,131072 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 --field-trial-handle=1224,i,9609464373815848951,16938688974128429275,131072 /prefetch:8
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3788 --field-trial-handle=1224,i,9609464373815848951,16938688974128429275,131072 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3896 --field-trial-handle=1224,i,9609464373815848951,16938688974128429275,131072 /prefetch:1
  2⤵
  PID:2032

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1548

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap3531:190:7zEvent23643
1⤵
- Suspicious use of FindShellTrayWindow
PID:2780

C:\Users\Admin\Downloads\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
"C:\Users\Admin\Downloads\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3028
- C:\Users\Admin\Downloads\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
  "C:\Users\Admin\Downloads\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:2652
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:1824
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:2204
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:1152
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2444
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:1080
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3328
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3428
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:3644
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
  2⤵
  PID:3556
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
  2⤵
  PID:3532
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
  2⤵
  PID:3668
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:3664
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3432
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:3848
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4012
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4084
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:4032
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
  2⤵
  PID:3512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1972

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:3836

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4048

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2636

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[1B9B7FEC-2803].[[email protected]].eight

Filesize
2.7MB

MD5
116a01bc95f9d3d4a74f6e1f3bb72aaf

SHA1
22ec66600a4e3f98e639204cc3466c85000f59df

SHA256
0510f09bfc929861fc077128ef43cf24c67b7bb1b4d270b3430cd5bbcef7cddc

SHA512
34fc2d0bd0388ef5b4d5c3ca129c7a5563fbba996dbc81a9b6fb127a5c5af9b8a5c117cc46a89e4bcab79e725f6398de4379bcd11aff46d9af545bca51537cb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
da34f4b069d4208e643bbe5904660ba7

SHA1
8fef8e21cdbd32ee130cdd5d2369f4eff1f468d0

SHA256
24271c2602a6fd012c611bab3119efc1032a4e94ff2aac598b5ad5c5db7fd38d

SHA512
3273ffd4377adc31ac025981816295253238986f6fb178b5096692bfc5feea3ac2f81bfec3a18610f108cf8bca1c465a9fd685285dfb9d3df08aa07a06446aee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5859841b-c068-4b07-ab88-3801c3374e70.tmp

Filesize
5KB

MD5
03dd5a83c8fa2620aa0c4d754a4425b0

SHA1
5a3fee3fd83e77f5ba7419e564e32c65d34f68ef

SHA256
e814c5fb1845699cfd3caabeaf50e86c7702d6322cbe924aec6c9e71b8d0f6c0

SHA512
a8938d100fa0052e14075e6b554e4c66935629bb63440867e4820566a27e3a45321b82adbf512e40523957ebabd1094bbe82a40ee19e8fe2f93972ae55655675

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
86KB

MD5
2d2694c760e06318329dfcc2d94301d6

SHA1
247aef91d05b0b4a3e3e1a0b7db51b38bb476d9c

SHA256
6f6a2fef1a117e32f038c57d111b666cd002373dc749693f5dee7062e3b61718

SHA512
8e5a70650f4ce6fcbb85b2a2083e9f7ce0858958fe892e389383ad6ea741d95780074e86849eb6d44f1bd33968db067bd4b09b094d9d50edb05a2aa1aebe5dac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
194KB

MD5
36104d04a9994182ba78be74c7ac3b0e

SHA1
0c049d44cd22468abb1d0711ec844e68297a7b3d

SHA256
ccde155056cdce86d7e51dfd4e8fb603e8d816224b1257adfcf9503139dd28f1

SHA512
8c115e3e5925fb01efd8dda889f4d5e890f6daaf40b10d5b8e3d9b19e15dadcb9dcf344f40c43f59a1f5428b3ee49e24e492cf0cb6826add1c03d21efdec52ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
37KB

MD5
d81a6a0efae9e6e2c750f78bccab42e5

SHA1
b1cc91bc55bc3fa9f67f823b1d288cfe9feb5bdf

SHA256
23ea0ead7c68e1ea5b6818fcce2a9c8a4ebc718839a8429374ff8ccf2df9bf8b

SHA512
a97b76e8ad3fb64eeb08b28976f2976e8e6fc46081a9fc99a97d46b17866516e5039eb24efc4bb06d3c2077f2f71e1d124465b81908656bed2e54aa0548d4efd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
46KB

MD5
886240916225812a02781d05a0cd7595

SHA1
16b3972f2fc6c08b1b60d5d94c4446cf5d914dab

SHA256
0d88e0bf6f0c9bc7b942a6c6c0f5c79c11d65087a97232b659421c37c46a343e

SHA512
e1f9fbcd2fa8deeecf2b85f41399b97189c5158e508f2566943c384bd27efdfac6042997a9f4e4af34f43e9cbba64ce9a17c70b09d316e98a3db823e9f8aabb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
34KB

MD5
d5484ca761b485de83b9b3518f826da1

SHA1
fe75228f61cf9046edbb138db9e9372bb0ad49a7

SHA256
9be9f6e6204cf1c528a9bac06e5b2a8cd7651ffcfb4cc569b6f1c01492c8fd6b

SHA512
f7068af4482ab9307160f16e79fa0621acca81c97c5630e0ebd7093038436514c8bd9863ab307de7ca215931495f022a8e00df8b3393e2dfcee1fbcf97bee5b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
48KB

MD5
044f08f2e3f140d1f05d983bc0f5d08c

SHA1
6a5213ccf8dc3e78c8da80b470db09ff96b94280

SHA256
15f43bbb0e94e682c73a08368214194152e34e72f03e33789d164663c1ab883b

SHA512
56d003619471c66346093b965217e18fed24eb4cd8765c63f9b00402acb13e734fb862db494e9e83837a1e8b9f577479e6a29404b3c0b0103801fb7ef55005f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
42KB

MD5
60690cd2bf7f14c926a1195e9abfa476

SHA1
62ba5bfee9a902492746ceb5508394dfd064b13b

SHA256
dcbe43756190f8f789b13f6434b4538dea41ba65f2e5ee30e949e53bb1c97a23

SHA512
e0ec9d9298c0dd3f4d23015703cf2ac15703b01da518d9b0454112c975045c27cd8f869c51b9fa2597f259e6bec82b31e028fdaa56a5825ce4b8ba9edc9f0e38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
49KB

MD5
c88672b43aa39cfff84ed463b404934e

SHA1
4f4cda40107786948c1b1c478006e6bf13e8c81e

SHA256
c218cec17773735c5cf32bb9df93c6836076ba62f6508d91060b4b6838db4818

SHA512
93c8c0aebdcc4797301ea4387fa45a5605d3c97d7b46a06d05dab56d4454dc600928dc2be108e979c53bf134268391f1039539fb9fed50f3985ff00001a16c1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
42KB

MD5
c5ec9d0d04d3819ceef905a45cef78f0

SHA1
d65f5c99838f068349cee2ed05fe607b01c06bf3

SHA256
bc7cb0369b8e54d7356bcdf75f3caaa4836ccfcc73d96adc928e157b882b9218

SHA512
da8b6fadbb099fe6ef684597dd8645b3565d6e33dea359fbd19787ff23d5553296a36a480ee5cd875ef6c9c959095b244b7ca0c529ad4e45fd2b7c609b66ba6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\00903e728dee93d6_0

Filesize
18KB

MD5
42f93acd71765730c81a46a81bac3f59

SHA1
5e0d23b7515e22c0d110fce22aafe2f7c8aa4141

SHA256
ea0be8ab6f7e6c2e455422e35f9864b890638f586f843933e167e23df7b71407

SHA512
d0e2c2c4f5bf62ef1d781a058ecbf9bc5d4804043316182fbe48277b5ffff025e00289e860c86e76e79327389bb384ea7fd993ab7eb20df1609aab326d126d7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\02aecf8da6f8f2af_0

Filesize
246B

MD5
362dc6f4cf02bba8242a0a9281184ee5

SHA1
7aef0a531a98ddc961e329059ff2f19767f8eea7

SHA256
1e82827ff2a2a8b60a26e3c5a92e4db0015f4d33d469816a87c768d7d49bf606

SHA512
550b58e0196dd28157be7337a5176f897ca2a0411d09d3dea2cb9d770bca79e0fd704602a1cc9f267c284dc750f81313d69069f10a7b833769e81adcf7307db3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0ebb7b0af610c57b_0

Filesize
280B

MD5
45e5498586fb95b2d2f2a1cd29e2ee0c

SHA1
53cd8fc0458e33cdcbc202541cc194636f3549be

SHA256
118a5733f9640419a364fa8d62e04cbb858e57e36e149fed013a711f495bc0cd

SHA512
c026136602c619afd1b26146ccf4d8ee9a97a664eacb554cece552f6b8fc130fd8356927645c285ffa5033164cc6fa1246792d80e82d811dd61fc06edd915071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0ebb7b0af610c57b_0

Filesize
280B

MD5
26ca2f8e157a641725573c397af26b58

SHA1
a2f7c29dbe90b7a4f2c69e0de5d7e57c16a709c6

SHA256
53279f6fa9fc6bf14cc4450c2f69f0ba58d1e5a80289fdcada3da58de702b97e

SHA512
222906be4b987c6129fece8c613d766c5f028ebcf1ef2752bf977fbcb0816a04c20eed5c17d0f488e06ee8facfc955db69c29a4f732ab2b3fc2de0577bd55a6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\15a0c66d2b8180bb_0

Filesize
393KB

MD5
35d94544760b86f5af208f8b951a9766

SHA1
b7d052c2d5355677e80b519fa7e43c2dee291a57

SHA256
a6968d1f386b87ff7e5e981476a7029bcf6bfd83dc303b4e3e1f92f50ac7bdd2

SHA512
39c4c429194eaec5ff1e2f7cdf99eed76ac7a2c315f050d3dd8c527479f0878cdd502230e6760086faeb035ec3cb0d5e3ddcbac53dc999bd9910664adee16dee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\24a37706d3ab219b_0

Filesize
249B

MD5
65d699f1462e9425f7593ea00c87a313

SHA1
c0c21eaa4cd7976f8d5319754981aa2a97782c80

SHA256
5dc9cda256a55fc6ea626b7925a37edc549b54a52f80737230a84bb263d6c661

SHA512
57f5574bd2f70fabadba8cf737f0327fc4fb95069110ede01ad129567ac1627eaec7138fb56162c054fe26e6e093777115e6266dbce38779ae9b9e354b05d107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\41a4ebffd069515d_0

Filesize
259B

MD5
90fe266b8602c70f6a18ede0488e74bb

SHA1
5368fc0c3203dfd5d41fc2d25669fa377b90a1f5

SHA256
14773e73c543c860170701f41f30f73a1165c7ffb5950aae59885ec047660673

SHA512
9394804399eafd363e1e3dfc18c20b640a218be57bb247202af6a94ad303ab7c6071a0f642784123623ae275818f381e7623d8729d1dace400ca39ccd63e4783

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\4de2e301aaf1d0be_0

Filesize
239B

MD5
72ac7201f2d9c963130c5308a2a15b09

SHA1
38477d2df4234166868e6bcfb6e0a29d9b7fbf9c

SHA256
3829d103ae574bd87c386a39bfbfd5957dcde6f37aab27efbb1401d897a6ded8

SHA512
466a71cd865a7be2412a7faaed22e6665bf4fe59d5722da6659336a7d82b3f16351b85290a7e224cbd8c4d23c53614e90913a28bf1783d36507ca601a9dea33e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5861786444facb86_0

Filesize
47KB

MD5
29b29e9b4dfd6e576dad733ed2394c37

SHA1
44226a20d132dfe2546b569943973ed901fbfd1a

SHA256
e2a5c0ca264bc7db835b24a3b2d2ba0b19384bf570f87548e0cc7a2b12603860

SHA512
6bba2164350cec9f0fcd5f3715e05f904bb04eee5e9cea2d35c7426dfe8a12a9bb340d23011f057347775c387214bd75692c903b2e068a5c7ed574e6d62f50b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\58e4506998cdadc6_0

Filesize
18KB

MD5
c508cd3c75c965752695d94240b9df7c

SHA1
39a497fc8e235743c26f02bd92a8bb0be1fbd619

SHA256
87d43561ea018a0946f7529b92d9e9db92857228184c1e0099b5e99911c9e6a5

SHA512
4150a0ff08100c0eca3d7b675d21d4b53bd24da9b6b50813f4a590c6ee02b54f9b2fd35b4186abbf0ba08a3b943810dd09731413d697679d2cca05453637795b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\929b456da48b24dc_0

Filesize
194B

MD5
62d942ff60fce9c2bbf80211870c38c9

SHA1
2ba764b2d7fd1d89a73dc0fd267cf611f897aa8b

SHA256
436d4e9f8bd1204a44f51fff52d3c0c6502131c856c70252081a73db5ad438f9

SHA512
577189a1a8e346eb78ffead7b1b1c6a664cff74d742bdba93b1d9ed7d1c0a43311a74d9fcf449bc93563b30a5d6698dd1858450299fa0eda1a5d5f1f3349762b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ac5d9cc93bac2b3f_0

Filesize
289B

MD5
fa690d357062cf55620ddf1add2c0345

SHA1
eb450725c2605321880d8f3a609b9f549067880c

SHA256
d19fc677c8a15492cb4f2a3fd8ada4a9a761faec9de2095e948d2d88037907cd

SHA512
797d120e3134a631783d0a643dff921c0fc653a39f1fba337317420ea5edeb14772a58cd7affcca5f9ad085ca3a83a269c4b78e80d82f2adacd7819104cc6b20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\b7b9ff38e6900eb0_0

Filesize
106KB

MD5
dd5393052d1a776851aa892e8d92ffd2

SHA1
8789a81e66cebd397a45aa800192d135e9de59d3

SHA256
beb34000c742d502744b259297ff27d35b9c7e1e6fa947428337e9da10796847

SHA512
3256e44271aeb5a3157a7c4c28193becc0be8f3d048273f1c78745c06d4c6d6cabbc66664d6d4d47325fe42fc1d558c9383ce0d0f152fd479812b5af5832ca25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\e7cee8d5c4727c01_0

Filesize
324KB

MD5
a354642cf0856f4007953b1c7b2849be

SHA1
67a92ebc56c3c8442aa497e5a718823919b283e6

SHA256
09e5e5f129433f74735d69cf8b26317376ba326dee311ebf6a6eb3dc5d017b3e

SHA512
ea17ed566e913c165bf4122db701d9d722ff6226f13c4b31893d5c47fb62c782735ad03b63541e5b9825a66421aa996163e0415764b424c9d37dec746225576f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
047f0953e335f7b1d76d4c2c04bcce7a

SHA1
baad3e123c3742626279692b4c7f40eac2f2ba28

SHA256
cc090d9a7841975c7571cc33c0328cb468825b8e7d387b7e09f3c736c6e6a8fc

SHA512
200629a8bc4a7e6b1e037efe428e82a5d352c1cc9fa66dbcb11d3c73e56ac6117050b2e80f7af7096ee82e2873c0ea5d107a1c74db013a0991117972e3bc3313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
927f3911c50f53ae2a4cb787920daa6f

SHA1
b5f5225931ecfa751a1bb968cd9c3265ae08e7c8

SHA256
00383b06a9bd3157d535177be76f48d135099a0d38a7f655406f5c2f41e2df4a

SHA512
1982171bcd5193914524aa1617dbbb77b5e566eaa3dec7976dc1817ccfd189e153698f8d225076fbfb03e859a22045fbd00ba5c2ade4f5ee94bd3464dbf26ac7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
852ed91b66bccdc66c69599cca495146

SHA1
111bf31a8682bf730d33cef971180fd79a025585

SHA256
b1bd7e94a0f4e7fd971b8fddfdeb6ae71bdf67ddaa91388034c9a5bd7d680ef2

SHA512
76a9794e531de03c8b6f5f961a37be8995e4e55b2a6ba22e982358e5ae5455ff1329bd631bccd91cee4897930d5fd0dd083ac3a8adee30b393a8da95d30585f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
5fb70b2ea6b7e4715ad6839beb3aa30f

SHA1
1eb22c3534e2f52fc3d794159ad5d89e145e4807

SHA256
30e11b3c7b800e0ce35dab8165524fc0f3548c799bee7ef11f4700746d9991ac

SHA512
fe965bf504183d3b85640ed0a4397a958c9301662569b210f4ca04b2b9d114791a2f3da161f839254970d783e4d0fc232412f122ecdd4cb8ac1fd864403a42ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
136B

MD5
c371eac8730534d30ad30e7ed0f1dc92

SHA1
2f92a71214ff3d37f142660900428ae87b549f52

SHA256
a970ce7a7f4972b04137516f05df2d5c85da38191aff9ff08f571d4ba0cfa995

SHA512
8dccd8de5aa438b11ecd89dbbc5bbd1b8b84067e9fb152e1506b94ebf7a2d691dae3d96948af9dea56ec7e4ebf8cbc40e7dbb503c69f54ba8c797e5fa528e172

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000007

Filesize
50B

MD5
1be22f40a06c4e7348f4e7eaf40634a9

SHA1
8205ec74cd32ef63b1cc274181a74b95eedf86df

SHA256
45a28788cde0d2a0232d19c391eae45777fe640790ac0674d6daa5672c444691

SHA512
b8f6f42d375e3ad8015d744fa2814994fa6e588b41cce0131fca48194dd40146b08169a8ce0da350525ff32a59a16edb503c72e0f07254955c82a0d38074856e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons

Filesize
20KB

MD5
6c15df469bf603bebe3449d9a9b3df70

SHA1
7abe731c4bd1d6ed9ed0dc038850406d2c7462ad

SHA256
9f674ce5efb0fedec11f75c0389d017b21331c8209b2e23f4e2af4bae9a8d9da

SHA512
a93d81251dd4d7986b4fd5f443ea774b51445e2e7340c6ec1c8a020d8f60cfabdc49ea1bb58d6601e43e8c1ec71790b1e1e76905cb00c4b7c5894d589e06e543

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG

Filesize
136B

MD5
26acec86ccb67d6015b8f3707e1c0c49

SHA1
79bbbf992f3640640340069a51d74d2ab9bd020d

SHA256
4c3491a436efa338cc737c39a5ad21add6268511466b694f594a7010e430ef73

SHA512
413074b5807eeb824119dcbe791e3ef5917cc7ac2019385fc5931575a3e0f009b03212d730bd0766f37231583c3350b97d3ebfb8c13eb919d9e74adede04a535

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
301b1cf2988c1ed2b64219c997ad3e96

SHA1
96f1145188af2be75d2cecc9f973f331288e9d96

SHA256
ee07bb9d3dffd6096966712291518e8fce5a3f7a514022f08167471d7cbf1152

SHA512
9bf3ba314da1998e4beacdaf9b43dbc62278ec77da1df14d9ac8d2c8e737fe2f097d59fc0f726bb4b4f181942e961c7e1787d0e43cbc48c8836d8d7e2d336d32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000007.log

Filesize
484B

MD5
a6d223da909b44b466a2fafdf1fcfe28

SHA1
d3da411f5c19d93d11621000ebb6da23414ff957

SHA256
ffdc026f574f6ffa4675beaf0849b93e6f4e6a884943560ec729fd6549f2145c

SHA512
6fb95cbd184e8aa17b87ccec8d4d731c624957192e23d0cdd6ba5c379de8ef0ca4b49f996cd5046aa61c80857c03af75b7889066dca0fb50e9074afdf75ba6bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
136B

MD5
b774661a4e833689756cd521646c7125

SHA1
7435dc5c2dd9d7f773071487815f19ab5a046819

SHA256
d310d5538b452b91fd05cd066f7b67fcc89798c29b9408628dcf56d48f6417d2

SHA512
e968a1b91e77d96ab8ddd054ae204a9770a8a787fc243c009555a0f679f6c414b4f867fee6727d671a962792001b4eb28631813ba1cbda399e7265ee5f10a171

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000006

Filesize
50B

MD5
78c55e45e9d1dc2e44283cf45c66728a

SHA1
88e234d9f7a513c4806845ce5c07e0016cf13352

SHA256
7b69a2bee12703825dc20e7d07292125180b86685d2d1b9fd097df76fc6791ec

SHA512
f2ad4594024871286b98a94223b8e7155c7934ef4ebb55f25a4a485a059f75b572d21bc96e9b48ed394be8a41fe0208f7bfb6e28a79d75640c5b684f0c848fe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
93f1d1d0bc57cbcf2891af74790efcfb

SHA1
77bb6d0ed891d1a0eb3fe9c2beab02a214ce926d

SHA256
f45361b52db1b85cfc50b1afefaea404da7a21330a2f90b0f193eefe884a3738

SHA512
c6f81a763768019aa0bcf130423055333f42aee25aa911b43f77482daf42e1b6e4ee3d931dc8d75b7a4b2718608090b8e9577a1a7019eb779bcee64466e45c51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
668fe3146e87e66ebaac73bf95154a70

SHA1
2b6c982435fc42ec1b08c097849fe03642385219

SHA256
e0a51f4159cf765b249c59f0f821490136bc513d0c90f7a64dcd7804a65904f5

SHA512
c4d6775d520a8343fe29688f19b8e20a6f779e0afd7df73645ad47a929e230b953249941a8cf1b489b9c1866a423362b65a85315bc58dcf6fb781cb048ce648c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f69f14c3540fddbf1a28eb861fb8a3fa

SHA1
9787662ad3b4458d09c3712e256e4db116d729e2

SHA256
a1ff531bdba565cd7128acaf8ef84468a73fc833d90df3247fa7992768f03013

SHA512
256653c66e0b0204f473f8c04abb89a168bdea275760f3cc0730746d3c68256d23ce702b14cf3ee07b121ae8ec7b6b687fe4ea91faab95159ceb57b89d5ed01f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ee6a8668213ae1ce771dd8c359fadade

SHA1
79f53c55a006b39b026c712fce2c0983c96b256a

SHA256
885562b2739cc5f8335f269549c4548f8d7157885c811a9f191262c623dd797f

SHA512
c952cf0f02184085dacb089c7c30a54689bfd003dd1735c9ec368c004542db6814100ee7efd8aa4ccf4e0e1090adfd6b1567a63fa43a313b025de19bfb8d1a10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8f23858290de59a3f479c1b5312ebe16

SHA1
22b37b36f7de352f6164d6a265a3c93103a248e4

SHA256
9dfc6e4485a657302b229d4cf3f6aa5d3505a7e026e950c2935422432e53d866

SHA512
b65f41b2e5d7990008cd59d631970c23c3e2251f5cc84cc4d8e020daf5d7da0895ef6a9e2552065b6b95386e6200d2419910cebd63e62732d0d7a9691ec73db3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
efd7235ee381445858d635598ccc5c64

SHA1
9a70a3809345d9de9c8c6f76381c3915c1558709

SHA256
b841ee6f0f83798ebcd3040d456b3899ecb2b39fb0853c005081816a3af6c683

SHA512
ea07a49b30ea219f2147385781bee7ed319ae1ca000caf9bf9e7b2eee0d525554e035c8f720ab5a2f9c2fdc8f72c25630f8af65758f8a5f8525869fefe6bb3e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
852ca562fd8a3dc83693b5f5b8194058

SHA1
a6289f6626f361179bf6b007c15228df49fbf911

SHA256
18cb95c1f2a30a8d956dec55b895dcf46c7959c0a2f112050c27f7c5b1bf6a16

SHA512
fc04caabd61ce95db125ce5f8cc63d30a5ff489fe1be34b810262a65e9259091dfb6c701ed2374dcc741004160636fd1040a302e1cb10677f89e7a14000e225e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab699E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar69C0.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\Downloads\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Filesize
55KB

MD5
ea6d3083f8c1c506fbff457bf09a7ed8

SHA1
f159c4fc7d13571e725f0ae9e0749c77cf859b4e

SHA256
000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46

SHA512
1167b9ebe03c399c5915394592f97ce60bd07e92f589a4a0d794255c7a9c46423dd28efbf96b45aab6a67763a20676627f35683cc6790bf1383c7f07b6e28405

Download Submit
C:\Users\Admin\Downloads\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.zip

Filesize
39KB

MD5
fdbccd2cb802909b399e473072ad57f4

SHA1
7fe334a30bb75eb34f9be4a4b1b6c251cf37ee73

SHA256
5472cb231450fb1fbbd4499a7f6febda20ca622140f98494dbab9f839b9b77c9

SHA512
866b1324eda58c7b13a09f699493db19ce549525adee4b0f08ffda70e1b1aece19f5bb36818ef0fad2e38aa4eaf6f579539ab6a961e4c8b7338a6671ea34d744

Download Submit
C:\info.hta

Filesize
5KB

MD5
9dd4f533c0431f8391ce2be15a120982

SHA1
8e55ed9dce4cef0cee1788c57e89d391a3d22420

SHA256
0d967160663dca387dfd3f37bc4124db4dcfcbdda31bff933afb1dc45880b969

SHA512
756f0f94514eddd3489fd7c7a7df3c9cef43f2903be72f24419e535072452ac0d9cd217da6410028297223f067b7dd244a6bcfe5c019d4f9cab4526a72d6f013

Download Submit
\??\pipe\crashpad_2644_AMSSJQGIFQORKCDF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3332-10681-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3332-10682-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3332-10690-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3332-10691-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3332-10692-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3332-10693-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download