phobos | hxxps://bazaar[.]abuse[.]ch/download/000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46/

Analysis

max time kernel
335s
max time network
336s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
13-02-2024 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/download/000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46/

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>3A9BAE96-2803</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

576 bcdedit.exe
3572 bcdedit.exe
4728 bcdedit.exe
5288 bcdedit.exe
Renames multiple (539) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

924 wbadmin.exe
4676 wbadmin.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1784 netsh.exe
3416 netsh.exe

pid	process
576	bcdedit.exe
3572	bcdedit.exe
4728	bcdedit.exe
5288	bcdedit.exe

pid	process
924	wbadmin.exe
4676	wbadmin.exe

pid	process
1784	netsh.exe
3416	netsh.exe

Drops startup file 3 IoCs

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Executes dropped EXE 2 IoCs

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

pid	process
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
1208	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46 = "C:\\Users\\Admin\\AppData\\Local\\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Run\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46 = "C:\\Users\\Admin\\AppData\\Local\\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

description	ioc	process
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Public\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-334598701-2770630493-3015612279-1000\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-334598701-2770630493-3015612279-1000\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Drops file in Program Files directory 64 IoCs

Processes:

000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\ui-strings.js.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Mozilla Firefox\softokn3.dll.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\ui-strings.js.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses.svg.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-200_contrast-black.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\hoistStatics.js	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-hk_get.svg.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SnipSketchAppList.targetsize-30_altform-unplated.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-2x.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\AppStore_icon.svg	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\KeywordSpotters\fr-FR\Cortana.bin	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-64_altform-unplated.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-125.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\ui-strings.js.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-125.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Mu\Other.DATA	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\help.svg	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-72_altform-lightunplated.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\tilebg.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\MEIPreload\preloaded_data.pb.DATA	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.targetsize-32_altform-lightunplated.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\ui-strings.js.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-pl.xrm-ms.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60_altform-unplated_contrast-black.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-60_altform-unplated.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\ui-strings.js.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\tr.pak.DATA.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\colorimaging.md	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforcomments.svg.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.Compression.FileSystem.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SnipSketchAppList.targetsize-20_altform-unplated.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\ui-strings.js.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\license.txt.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework.Classic.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\hi.pak.DATA.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_AppList.scale-125_contrast-black.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-400.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubSmallTile.scale-100.png	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.XPath.XDocument.dll.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_unselected_18.svg.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX.id[3A9BAE96-2803].[[email protected]].eight	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

796 vssadmin.exe
1408 vssadmin.exe

pid	process
796	vssadmin.exe
1408	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133523249772575097"	chrome.exe

Modifies registry class 3 IoCs

Processes:

MiniSearchHost.exechrome.exe000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000_Classes\Local Settings	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exe000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

pid	process
4148	chrome.exe
4148	chrome.exe
4876	chrome.exe
4876	chrome.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
4040	000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4148 chrome.exe
4148 chrome.exe
4148 chrome.exe
4148 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe7zG.exe

pid	process
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
3996	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

5032 MiniSearchHost.exe

pid	process
5032	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4148 wrote to memory of 4252	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 4252	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3984	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3388	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3388	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe
PID 4148 wrote to memory of 3136	4148	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/download/000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9421e9758,0x7ff9421e9768,0x7ff9421e9778
2⤵
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1724,i,3988639778391568189,11761557094323835934,131072 /prefetch:2
2⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2148 --field-trial-handle=1724,i,3988639778391568189,11761557094323835934,131072 /prefetch:8
2⤵
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1724,i,3988639778391568189,11761557094323835934,131072 /prefetch:8
2⤵
PID:3388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1724,i,3988639778391568189,11761557094323835934,131072 /prefetch:1
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1724,i,3988639778391568189,11761557094323835934,131072 /prefetch:1
2⤵
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4824 --field-trial-handle=1724,i,3988639778391568189,11761557094323835934,131072 /prefetch:1
2⤵
PID:32

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3864 --field-trial-handle=1724,i,3988639778391568189,11761557094323835934,131072 /prefetch:1
2⤵
PID:808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1724,i,3988639778391568189,11761557094323835934,131072 /prefetch:8
2⤵
PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1724,i,3988639778391568189,11761557094323835934,131072 /prefetch:8
2⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1724,i,3988639778391568189,11761557094323835934,131072 /prefetch:8
2⤵
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1724,i,3988639778391568189,11761557094323835934,131072 /prefetch:8
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=1724,i,3988639778391568189,11761557094323835934,131072 /prefetch:8
2⤵
PID:860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2556 --field-trial-handle=1724,i,3988639778391568189,11761557094323835934,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2248

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:492

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap17377:190:7zEvent28633
1⤵
- Suspicious use of FindShellTrayWindow
PID:3996

C:\Users\Admin\Downloads\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
"C:\Users\Admin\Downloads\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4040

C:\Users\Admin\Downloads\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
"C:\Users\Admin\Downloads\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe"
2⤵
- Executes dropped EXE
PID:1208

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:1576

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:796

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
PID:3628

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:576

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3572

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:924

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:3116

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:1784

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:3416

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:4892

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:1928

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:6072

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:284

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:2680

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1408

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
PID:4652

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4728

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:5288

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:4676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2384

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2592

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4612

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[3A9BAE96-2803].[[email protected]].eight
Filesize
3.2MB

MD5
00f0b361315d3dfc8c00bf33b6f76a21

SHA1
63269678fe990dce4297e6ca26f89dfc6e485f13

SHA256
996c4ef424996fd8ddffd6918cbe0f3092453488e2546e00ca33852cc8fdbc45

SHA512
c5fc79df7597d19ca8b45addcb556b50047468be2b903eaa7ee9fe779eba56ccc0820f39e9c7704cd3c559ffd693e80e7280b1e2589552cba5687259c2da514c

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
a6e8ddaf25aea83cdaf70aa1f81889e9

SHA1
135d02767163d5abbbe3c43d248cc282f917db5e

SHA256
194bd580031d069353a996878c16b849be4f65a7b8ae1f64d4910c1cea0bb859

SHA512
cab49f905cb90e14739f22539712b17629f7d6b523dd268bf50c955769421845ddbc186f8b0bee54967bf0bf5b9427b95bbe5e32e33726768b9fa63414b17bda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
Filesize
44KB

MD5
765803e0cdeb1d76e28bcb17e4aecc0e

SHA1
73174ad1227da094bab1bd97d452d1a5ddcd0ed3

SHA256
4d3ef592c4d8a739d100c753e35793696b3362284bb487c1992c30504b969fa2

SHA512
8faf618534bffaf04eecf1ba0454f84461d4f7aee590b16c5dcaa7dde3fe52898ea42bb1e7c9000202de573547759482b833f611eab408de6b30ce56df241a8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
Filesize
264KB

MD5
050be19bf946cc382d551f74f0471882

SHA1
2466d99a11349c7fedde924a3c5322721c13f403

SHA256
6b831f8bb1db1fa77d303b41e8e60a31f7ce85b629e8a0c850704120183e248c

SHA512
fc95545e8e4ef04be16aabac0043019124f056b9e1312300c75d817c2be1dfa093c3764c1464a8edef15cedd09706ba9ad4d3f249385be366d816a2d17b4e988

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2
Filesize
1.0MB

MD5
77e0d0d8a98d00b491ffddc6dd7b280d

SHA1
8dac790e466aa5bf9cf79014fc016cc2c284fc6c

SHA256
62e30a175159a168ad1d109d8c57ff8b6541c97e94e0e06d24f686905c8fab58

SHA512
0d4f7326db56362e07732a0a5db115cb34dc99671ffaa95eb21e52f34aa73f4de4a0a291b6b1648e1fd46a465f36fd22461f687197a804faa6c7228ca6b0d494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
Filesize
4.0MB

MD5
3f84248a8c708b529d28505da2d54de9

SHA1
d1bebf98700cc19608cb4b09604b3cd49bb7d558

SHA256
4b3dccc3f4f133db3bcaaf4bd6d1a234378bbbc70e0ae988b38e1473aa82a0fc

SHA512
4da35c3198216c16cf8d19e5fb1cf1ff4843d49e79d28748f8a65af25a322fda3ec3427a7d4ef1b8a3b77bf472bda88737ab44cacfab87efb2a0f427a324c3d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
22KB

MD5
3b5537dce96f57098998e410b0202920

SHA1
7732b57e4e3bbc122d63f67078efa7cf5f975448

SHA256
a1c54426705d6cef00e0ae98f5ad1615735a31a4e200c3a5835b44266a4a3f88

SHA512
c038c334db3a467a710c624704eb5884fd40314cd57bd2fd154806a59c0be954c414727628d50e41cdfd86f5334ceefcf1363d641b2681c1137651cbbb4fd55d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007
Filesize
30KB

MD5
888c5fa4504182a0224b264a1fda0e73

SHA1
65f058a7dead59a8063362241865526eb0148f16

SHA256
7d757e510b1f0c4d44fd98cc0121da8ca4f44793f8583debdef300fb1dbd3715

SHA512
1c165b9cf4687ff94a73f53624f00da24c5452a32c72f8f75257a7501bd450bff1becdc959c9c7536059e93eb87f2c022e313f145a41175e0b8663274ae6cc36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008
Filesize
77KB

MD5
b15db15f746f29ffa02638cb455b8ec0

SHA1
75a88815c47a249eadb5f0edc1675957f860cca7

SHA256
7f4d3fd0a705dbf8403298aad91d5de6972e6b5d536068eba8b24954a5a0a8c7

SHA512
84e621ac534c416cf13880059d76ce842fa74bb433a274aa5d106adbda20354fa5ed751ed1d13d0c393d54ceb37fe8dbd2f653e4cb791e9f9d3d2a50a250b05f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009
Filesize
86KB

MD5
839da3116f2781d799f21f8d0cd624c7

SHA1
5c0fadb2b95e1af54ada7243b2b04f1fbf893733

SHA256
841383dff2f8fa4bd6ad8354f866eeadb4ba2db2befb146de3b71135b80f09d8

SHA512
9d9b1e11c88374ac32d3765a44a948a81998bef12d3aae0b2d62b8fe2544e74328a2ce8c5a7241c88d58b18dd29a9637c5cc901ca09ef2c9b58d47ce66badfe9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b
Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c
Filesize
194KB

MD5
36104d04a9994182ba78be74c7ac3b0e

SHA1
0c049d44cd22468abb1d0711ec844e68297a7b3d

SHA256
ccde155056cdce86d7e51dfd4e8fb603e8d816224b1257adfcf9503139dd28f1

SHA512
8c115e3e5925fb01efd8dda889f4d5e890f6daaf40b10d5b8e3d9b19e15dadcb9dcf344f40c43f59a1f5428b3ee49e24e492cf0cb6826add1c03d21efdec52ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d
Filesize
48KB

MD5
152ba5e8618dca4b696427ef0afb61f4

SHA1
b3b80555700ad1d14f8edf83512d5e24cce2a4fd

SHA256
c2d3357aa26bf7d5e86364f56da06f3f3285bf560f72d6a86303f1a0394ed85c

SHA512
1b99b0f3af059fb8bae0db1a0ee4fe1152a6495b47e2ea4ed0971ac934a89b6bf2a351016e8c9449ca053d426928a0c7c319111fa033b81285ed82acdbc9ae10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e
Filesize
26KB

MD5
eccd6a571b4036f6031cc8298917bd7f

SHA1
ffbbce15b73eeb3c4597598ebdcf53262f43bab0

SHA256
5134fcd4d7d3a95a263beb85ecdfb5602cb81d08ddce5c29533a4e932d0e50f4

SHA512
6c20c31f9db8d0d76819a8dfc1784da1b1aa9e2d7dd084a59183383718a27367ea17f5d4b86fd7147b75a224a1a265f4419d9b8cd68cc64c191f9f9a935d2f19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f
Filesize
28KB

MD5
bfcb94186b96445ac4fa24b7de69da60

SHA1
fed9ed625f13d773d1ed02f0d301e199e3a692b8

SHA256
df8102a5105526921942cba482dfd2608d992001c893246261a06a11d826b460

SHA512
978f8dabc85e891fb33605f70fb9e9bb2d0043bdcb10315132ec37fd3fd7f5bfeffc75734d4d7af989e8d2c5d376f94315b466c54cd176a7f42af00b4fdfc609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010
Filesize
26KB

MD5
cfa083570390e9f7a2e4b0d6f03b2cc6

SHA1
f81dc0e9fc5fb029cd22eb78381d26eaa9044da8

SHA256
5a2c8e14ce633a208a6c084f3ec3b51fe7d3b0680a1cc2c4a43a51820b39e5db

SHA512
a4ce5488d0092c8b4257a704d0ba6d23ec07ab40439fa7fb4336788267ae0b844f1aa919e882795b490f31fbf3eb6bb29466bef9ebd52121900d164d7ee6663a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011
Filesize
27KB

MD5
cb2d1cc54bd75d0d00e18c11d44c1bee

SHA1
a9441f4d758cbd6a2c0d935acac26ebde90c88da

SHA256
ea9dc8b97a7c1abb85e10f55b0636342aa73c41fecbc360b080b8b8ae79d6d4c

SHA512
8e53f6d65e247f242fb5d75ff2a21f8d467e13b472177c3c72e58fdba63587814227d46292136d3fafca65844b6ab14493f170e95d912fd21a745bed8e28d1af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012
Filesize
25KB

MD5
e256fed78f62001521179842338e14b5

SHA1
913d5f937e9e17bc6013b40db00af581502ccdce

SHA256
145e3479af10573af1b691cf62753957879eda50f8dc9db47eb4999897bcd7d9

SHA512
497199823e3f5436fe5c3e60d91cdf4258cfc3351e1ba36b952637ce912ca70492686682636d88c1430f1b44b96544c7b4ef37d048620fec8248293f8bdac267

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\02aecf8da6f8f2af_0
Filesize
246B

MD5
8f99bb50d2ef4e66d9fc1f13667f9654

SHA1
9017208db396f1da0707daaa5073e80ee3ea1478

SHA256
7f4891627bc54a643da983bb7fa667931f31044c4e375d473715a3297b593f56

SHA512
71b792ea8a6c4867f259c19ba41d87654e07f0a43fb11e7580b74d4aee58af311f9cbb6f3b7502dc7849ef1794a0fb3854619c45c579af0d15b714eefedf2f43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0ebb7b0af610c57b_0
Filesize
280B

MD5
16176fe85c724d8d89bc10b6bf2239cf

SHA1
d3dba871d7cb8ba68f91f044f41e91a4ed56957d

SHA256
3bd0666109f519c2b9364dd8465b04074d90322b2d9adafafdf3553dc94d2b10

SHA512
d7838a997fe1af6386e36f7652f7889645d82850863d5256dffae9c7f75e7c5285106e0560c7fddec33ec239861873634fc1101d3177beca2ef1f9fd9c109073

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\20cedeb8a6e7454a_0
Filesize
324KB

MD5
505c09d82ef3e3556ebeb92a74fe5f92

SHA1
cc145713ebe2b014286b9cb56ebcbdad25a7cc40

SHA256
dc2cf8facf44a12db4a22be911dd4721199d6eefbf3aec89ccd564118fcd3e74

SHA512
15759a92a058444fbfb6a29810c10b420c0d23ec1bbd2f73c2cf2cbaa6bc5da97bd0e3aa48ba67fb16a0e112d7895e7c3f53a82b905990b18e361292e8399e26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\24a37706d3ab219b_0
Filesize
249B

MD5
0d0f19cec786a220195382b02dc1e96b

SHA1
cbb011d7757ffab214fcd13bef37501e78b2b6c0

SHA256
8e5f6bbb7b9b2aa34e63958659db567244942a63377dc206a262a642140ed5b6

SHA512
a46959b90f1d47efc7c73adee03ad0bd9ac905a70c4e108677fbc420fdf48680a5615867f150197b8f7012019b8697c25460c865c98020fa1be7d2c3f3042105

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\41a4ebffd069515d_0
Filesize
259B

MD5
918f7ea94e8d373428e6fe7f34d42ff2

SHA1
b447361ed2ea4179314f6ecfcba0e0cd72d041db

SHA256
c3d09386a96830f3cd96df90c1df8f8a0bad9156bf2d5210333fcff10a94a003

SHA512
29f00ac56950ea95d3c19e12c193bcd441241961655a9ff7169087f5648a913be166cc11dfe82993566fc7c04842161672d7b0ceb6b7117923ef463aa73ee26d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\49c6ab443331c749_0
Filesize
393KB

MD5
a9ae15ff663f30624744581936251f3a

SHA1
597de49d3ed7b1c8abef39b7c0b7caddc428c94e

SHA256
7c662a302e11cfdf3c08b695fe187a7440ca6e2675e8d69bbb3ca108b6f56bb9

SHA512
86e0c3945c95a61282d33e5ad3940fa08e7df543ad029d347e9a117f0937cb08f56c85dd94d90b922a1940e4bda684e7221b2c4c52f306aa816d695ce13e4362

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\4de2e301aaf1d0be_0
Filesize
239B

MD5
859db989d83c3ae1102a6b727d58a621

SHA1
552437d2c98f8a21ae47d430107467eab2b09cf9

SHA256
c5ca2423d903ae657e82cd03572ee6409f10d0787fb2633f87db238edbbc9f23

SHA512
4f014314148ac60b27d8eac04abfe224f0bafe74666c2d9c0922e2042d1b38c12b88f1ba5fe239841b754d395e9bcbc61d03f1d421565fd6ee78295bc314fa39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5ae458d90e6b4360_0
Filesize
106KB

MD5
aaa08848a9749da6d9e8a97801644001

SHA1
1a626e999a745d9d75a5183e05419602ccd042ae

SHA256
d963a0282057f49ec96dc1ae2819bdcae9c063399d36bb4fbfae5f994bf01de6

SHA512
32f01e40fd24c98d93e992a50c3f75596411d7ffa4bd06b34d228967a1cf841689fa8c18a056993f4fd2be917d4ebb48f5a107e6b1d968fad2feb78335aaadee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\929b456da48b24dc_0
Filesize
194B

MD5
e04f399db262d3601aaba255886d98e4

SHA1
44e4a176a1d1a7e91d2fbaaa01691904c3488ca0

SHA256
5eac80f9dc76ec7bb76f67dabec74c9642c3007ecf6d76abc6ded57d8a4238b9

SHA512
022ac62e6c36b3f4599ff885f7402f239fe676a6a27f2039861048a48c152359c5682053aa89ed95eefd6cef5230dbd97eb93a0902a29c8e8339aead292e756b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ac5d9cc93bac2b3f_0
Filesize
289B

MD5
7a9918c04bb490c7fc20c338d28f8b33

SHA1
36d3a7213ae1106fcd08db4251baafad78c49a44

SHA256
7e7ee0de456a5516467c6202d0bba1c424b469dbcdc1a3266e2d814963ddc0fe

SHA512
c774812cf65c06854067267a67c61541e10d8f6f920b9e84b62a92645bdaeaf28e1811e2327235eaf6346b87fcc1132fb7fd7d2818d7c3144ae573bd0a73fbc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c6d55b326fa176b0_0
Filesize
47KB

MD5
b5110f7714bfee6627ff8e6c16138052

SHA1
7c6e86ab5bfff71054fe6212f00f2d612d81668d

SHA256
434d13541cd9492ce44844c8900daa4cb68ddb3e35605bdb47102a17c701db2e

SHA512
1e53630e98df85b9ab639fa67e132d451ebc816e7b0f76a91e9e5c45d45f28dfc6856ae8d71b6d6c1381b329b42088ae53fd660adf7ea56c822f2ca97d44dbfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\cbc86ec1c478e605_0
Filesize
18KB

MD5
946756d38797c926e1c13feade542cf9

SHA1
52d548300fe330682b19b200e60eda96bffa3b9a

SHA256
b762acd27f57632a89cb7efd97b60855eaa41895e2153f8df757a02d637b9355

SHA512
35732f3ae8d1b2a67a02c1b3e791097c3b506b1c9be47124b2515dc31214f19f5d1a889638350c6ec8afab66b8a2b632c08839522275772aa242a644f349b7dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
088936cf53626fca8fb32bfc1171b3b9

SHA1
f4ec79731ab7fd1671d90776d976c19e5c00d227

SHA256
ee231e0b26e2edbdcfe79ca20cd93d042f50b1047322c097ff33ef36b3fc04ff

SHA512
77004f60fd7269510073ad862e5a4de5b1242e0d35c17377697c0fc44c6495f472daabc177ed6687191d11f65794ed5a18bdbaba9ca30a39926d76decac2257b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
440ded4961482d931cae8e0caa8decdc

SHA1
2126eba51e7c78b0664e54a6ab8d665e78803a48

SHA256
85b5c80e7d7c1163be64febc5d8ba6532a64203902d8b2af7fd3ce1fded27e87

SHA512
4efdfa8a8113c1b8b344332b221394c031be2caf5be62698c77f8222e2658807d40286a0194b07cf1edf81a226d1cdd957306fc41b87eb8b83aac0e7c247ce70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
0ea154feb878533dc2aa209fdffad7c8

SHA1
8f03d0b7103b4da256feffe650a755ae441747bf

SHA256
c9f4dbe29834271e891c10fd11a2d82f85d38d8123816d85fe0e5f9800491ccd

SHA512
ad6eca0ddb2d82ef0a7e37ffb9f96d37012eb668577cc8979c560d47249e82d3f97a1f1b0438a60ae39f0fcffecfd7e3480415931757dc1e7d72f7420554b693

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
Filesize
317B

MD5
f5c3f5cef0c3871b2cc01dfc259e9755

SHA1
03399b02e1d56b5f1f67332d0a8e6bf81a56bf81

SHA256
1cb9f958f19ed6e6fd2a0d064e1cd49e7bd979fc56cab47f3fb2d4f97162b0e5

SHA512
53241e65210e615993949d4bc8647aabddd3adbe4c63029e0da747c253f831683bcc7014259e4b821f8ae623e25b7ad31a2e21e1017f6130b7f3955b26844d17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons
Filesize
20KB

MD5
842b3e6b7a74a54e30657b97676838f5

SHA1
aac7324c9beaf9bc9ef8580fbbf5f5d7c056435f

SHA256
350e2bae18106f977b10953e1b1836050cefe04b35bff833e661c3de01eb9c88

SHA512
f8a7a6dd6e2b59c6802f3985e850017038a0639370b3592b8341fda92e0f7b23a9c6321115da9ad3c71dedb92ffba991ec02e1b1381e58550646986b16c17824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG
Filesize
327B

MD5
b8598ca814984de121173cb6606ff7a9

SHA1
8b3a66501c5dd598fe36688025d9b646bfd18fa6

SHA256
a20821c1f0c5303bd46b4afcdcdd21bf91d0ad7abb1462f031f9edb7db717291

SHA512
08aa42b1bdbdd1c3f73ba48ca24a940838f5fb98f1d6cee2c7ff5f1f36a2951473bba1b9689b209d591a21cce0a27f2f79678bb7af72a75b2b1b2ba7c00b15dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
148KB

MD5
b09800fda94592e60d8d3eef8327e2be

SHA1
125eedb3de402f6dca2e0b5cc242e7813aff6350

SHA256
859877f6a27a0744f7c804e15b7ac170e9e7784c170e75021b8ece0ef8f9d624

SHA512
6c891a5779abcc89bb590ac737bcdac74a1e913ed34a816ac43d8bd968ba1bdd84b308431e55f8e8b1e9e1065f85d5b8a5a38aa1b82f905fced27a80b946798f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Filesize
484B

MD5
2ff39b4d8d0e282f467006fc08bd07aa

SHA1
7381a2564f1bf8a6f4278d888d06354e3e748355

SHA256
e9c7bdcf1413d273ba888ebbc0292b40c399b19662ca29599c6ea74292dbd774

SHA512
3f5e99a16b5149907a1829dc2e2be283b8a4c534486487682b0dab79ec85f409583d5ceadbf5319373af391dc4731a2403436cd3e0e32e5f1a4898983ccea66c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Filesize
332B

MD5
90b9d9ba9af9ca6b6cd59a37814e3f90

SHA1
936b1fc49a74d744f9ac09fb7c75c4ab9d78633d

SHA256
c5bb15b26bfe9352ae191c410732726be50939c87dacc5ba13e42748622c4171

SHA512
c0af57283517373b9014486926f960dc3142c25fe037055ac69d9c789a398d64f0aeb48d4b899626c92d52f056882b7afb882d2f9ff5181a59948b096e147033

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
0cc43ab020f848fb149dcabc6392fa5e

SHA1
1c3acc59e3ef7a04a97e94e78a49d0333d228ac7

SHA256
a2023b7937f3c1e11e872771009b86b7d4629dfd3527111e66d807ef2d735475

SHA512
2235798c2f9a1a721ae20497ee46f294bd58e1794ee6364065fcc7482fbf99c09e5791206e6e78ed487fc42bf3c2f373c49aca9716d148644214d53af00abeca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
28a4d4fd8bac1b679cf6b0ed75d9e807

SHA1
76e90bb2364f6adf5fe4c6e86cb5d87c616bdb31

SHA256
b4e61090886c46a59c37314a0d05d49474b8b1fd275ea4dd577e4f699789cc06

SHA512
184f630e0cef62be6fb57b9b08e006b5a24013d01207b998dbaedebd7a2529700281d92a382e0ed1a2135bf64e82e6abd6e45e6fbe54612bae63708c745f03b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
c578c0f5197a023e7ae8c9b102ffce8b

SHA1
e95752c0ad63eb1c0c65d7413cfde88b97124d7e

SHA256
3c98c7f3c83068842eb5b3925c6c7326a3b2d82cd14ad0c94a81fc4e3a19f715

SHA512
3bfe7fb9634d406ea511f77a40eda7a9a841c55760dda9536529f4b257d4fd780554ff6b253dcd1cb5a3788d9c5d06ff535b11498659f0ab3f2bbae756ec1821

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
d08d5b4658e2851e47f0e9964a472d7b

SHA1
8ff3b0893d22bb33bd993f52e3aac61734271142

SHA256
c0fb560812f18cc888ff8f58f482d1441000e65fe3975e710dfbf23d67dea35f

SHA512
34d3d3ef12b9d146bcc2c4f9bca86e86bb4964b7a8065aaa7ce359d3213db2498fdd2bd82592c62786d9a209415261abfe6a02cd55ad69985a68f98ee36a2a38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State~RFe5c0cb9.TMP
Filesize
2KB

MD5
a85c980f8fc6865b70ec21780a927499

SHA1
8b3a604f56c662d9bd06d9f982ae07fd7f742584

SHA256
22489951953c305a90bc77cd22bc4ab5f3c085761e20b90eace7b04e12eab7a6

SHA512
7b69171d59f6ccc1b5bec5b035a96dd157635940c5f1396fc9d319020e04025eb4a32cc0e174818d7d4b8bc62d65de04061c8f7c3fb3d7602639b0438e14a88a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL
Filesize
36KB

MD5
13ed04c9b6a7c74c6706c8afbe28287f

SHA1
d5e71e3ecf695be0f6739ffd2dea8a3f63f9b028

SHA256
98638934c37244dca78fb7eebad23a62a4b1036db3b766012ce049c9df451382

SHA512
3cb3e54ea3e3bb815a72d30615d07488f4c6db733282fbd77001e80500a92800636865620fae8531d78a9bd96b2123353ac1e5f49741acdd5113311687b76137

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
b0b9bdc918f90e99e54eb809977af7b9

SHA1
bbb709e9402d225dce99243b474c543d2ee39a57

SHA256
9f9f953b543a5a9cefacdcd9284853c6b2438059012feb768ce8e4cbdf207bf2

SHA512
61d6b89feafa28fcaa309e7e805808830ee984c305f914a2020e057e3251e1655f9b86ebee813d7120d1fa25aa0198d63befecd8bbd46651b9846c81971b01b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
b1a876aaaa90d399aec101b38aab8f83

SHA1
c4b076317e36356b138d0f25ecb789a2a45588e1

SHA256
787691606baf17d455855281be6e415a7af1214a74d9cfc62d046cb3cd5e1a07

SHA512
0b91c874b6589eb2325db3dfaf196c03ffb60ad72b146734421b398b462efd12fdeaa9fed289cd3b3bd108947cf51d5fe20085d0138b58e34c2598152358dee6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
cdfbe6128bee0004080f2c417f717939

SHA1
e0b77c85d064df686c8a741b1d98dad2125d5517

SHA256
a63bc54b2a8f4e1dadf113909783ed58d3abfafbda8446fb16265697639b6633

SHA512
8666f56479064b6d13cf7d761a9e43f6009292beee10841892335c9745156538a9abac651697a24884460c8eefb4555dd8343d44639cf913ede645b79322795a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
232f14c3bc113338aa4447982ae9579a

SHA1
d0b9a4b43a0da905feb2b10369a2d630e4f497e2

SHA256
eb9191ad597834dd2966420153e4c0610e8442d2f3aa6829dc1e888371d2e191

SHA512
3cd7fbefdd6e7b79e1d91488e80fed16efbb39a0a68be6f2850e7ba12fed4c3e4e46877fbf850973d3f573f51510664b4de92154d8233bbca963421879903604

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
666bd1e732e8656b9b17a2d44a0fd35a

SHA1
2f8da56aa7a191f0e92d4955b54e67b4b8644f67

SHA256
779dc295470df235c2c1d1bcc249fc94c77684f4f0f547b5f7a041694bf743de

SHA512
a4a5822d711ba5953b89df96bce2cc4ddd874c640cb201a6dfa14ef37a2eb16aa4103f6e88a9fd9d86e9ae4e1305bbf141e7b48b3cf26ad1a1897bdc14c96fd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
1c762a7375e94e34ce3f230e0f2b9283

SHA1
dca4b8c14fc0900b45199cce2cbf9c2e3114daf0

SHA256
9b6ce61d978ae6a816c04dd4d427c6b764225ab5196130a57d153b7d63037926

SHA512
07643277cf4601717128f88927c8f8215958d73d9d433788bda257d1198316dfc12fdb220218c9c56a954d4d6128cd26d6274f22582ce07f1d939b00346b6ebf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
ed57fe6aedb54f1c048a4a96e80d4a92

SHA1
f6f094d646ab71221e2ee4b1d645c2d58ff9ec96

SHA256
f294ffdee7bf68feca98a5a6b0268216bd89413ea45c9c8c1db875cf0006b3f6

SHA512
abb1ae0609e057e9c22014b048b269ab5df12d15b716d56ab9da1343b393f2290270c1d567e5e56b22ebaf7ddd86eead9ed2a136aa0a9b0bfe4dcaee5ef3c9fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
102KB

MD5
788137a3353b0f214e5e3c94a5eb52f8

SHA1
ec347e877511a4ccd4fa6c9630a41ee62295ad9f

SHA256
3ef467ddac0acbb7f6651bd5cdceac04ca6573a37fb3f88db12bbcc737c421e4

SHA512
09b3c0537cda03644bc56caa9ed8796245f82f4576120d5cb2e17b23fb59cf6d42329073d02670fea8c49d3f236a6eecbcf0cb9c8c6b499c7a3a538c6c5cb8b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58b14a.TMP
Filesize
93KB

MD5
8712abab3d633a84ab555fdd2cdfdcba

SHA1
d716b82c3fd9f3d09ee1676d6b02f416b5b33cc0

SHA256
ef15d3a30cb52ed750640db1ea651dccf1420a676af9fea69c5fbef2a6bedf2c

SHA512
6f4c0ebf3abedd5fbe3bb570f12a9df86d7e9fb799c78ac1f41f567df016afc777d080b1af608c6d816a26a35aed2f6b82a0de4ae6086fc2bdeb00af86b8385d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
12KB

MD5
38e92c1fac5c9af67a812bb07c1ace03

SHA1
0a60f05added0f825bae6afc188d7512557ee185

SHA256
25779c1883ab7360a7342f64c68d93c672bf1a5827244d20ba73f44908cb0f45

SHA512
afff3e1f11daf39bf2ab1fff9d54a61362ef8354ac5496127a4e1d3a9c1b722feb7fdd2ed567519ba68f317dd049c5b55e58522c9609194f8c56af20121baef4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
12KB

MD5
d619fb20a71feb79f076abc1731b6c4a

SHA1
da1cf16653d5938673c1a64d9a390e0b079565e6

SHA256
54809e126456c60dc3d38a26f20344578c03e6750ea97e8eb7d9cf07c46ac752

SHA512
7bb35aad061bcb19bc4fb7ef8319f6075a7ef99811213b246f4e5e91aaa8d6838a9b4108cf4cd45f83b5c4e565340a745fd1501a00015f3af537050326c46269

Download Submit
C:\Users\Admin\Downloads\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe
Filesize
55KB

MD5
ea6d3083f8c1c506fbff457bf09a7ed8

SHA1
f159c4fc7d13571e725f0ae9e0749c77cf859b4e

SHA256
000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46

SHA512
1167b9ebe03c399c5915394592f97ce60bd07e92f589a4a0d794255c7a9c46423dd28efbf96b45aab6a67763a20676627f35683cc6790bf1383c7f07b6e28405

Download Submit
C:\Users\Admin\Downloads\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.zip
Filesize
39KB

MD5
e871b9532c3e73fb999103b965a07227

SHA1
b984e3e1ecd98482788d809bfe01ecd7b7a4cd3c

SHA256
8e2d195820d966d67fbb3c2982f64e83371201e742ca6b1f25907b3e71894820

SHA512
558b33528e03aa48f7a8360dfbc55695e8c46b423a2797bf671179c3380fa932e9394726a85619e041bfc774db4176cd1b55f67a107df4442b8fa0cf0d6dd1d5

Download Submit
C:\info.hta
Filesize
5KB

MD5
27925ea69c1ac69fc9bc8ddfbe107f0e

SHA1
ddaf43041891186320e9d4c3a0d5949cece04298

SHA256
b4d7e2c16fa588529916a2a50f38c8df8822f3e2f9e5e9a50d32898076734175

SHA512
a9c0e95a70304019709b89f0aa48a7c23da4d4adeb04ff9dadcfe68668738bb329e83342e5cbe4e8dc7db43939c0ef5c4b31d88f496afaa12b0b6657f6595ea5

Download Submit
\??\pipe\crashpad_4148_ZIQGSFGBLIOEWYXT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit