Analysis

  • max time kernel
    130s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    19-02-2024 17:42

General

  • Target

    https://viviendas8.com/bb/abc.exe

Score
10/10

Malware Config

Extracted

Path

C:\Users\1YwR2c1YK.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe. Tor Browser Links: http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion Links for normal browser: http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will provide you with decryption software and destroy the stolen data. After you pay the ransom, you will quickly make even more money. Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you. Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it. If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us and decrypt one file for free on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from you. If you need a unique ID for correspondence with us that no one will know about, tell it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link available only to you (available during a ddos attack): http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion Tor Browser Links for chat (sometimes unavailable due to ddos attacks): http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Your personal ID: E93EA07CABA981A0EE64DCE17A0ED5DC <<<<< >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They won't help and will only make things worse for you. In 3 years not a single member of our group has been caught by the police, we are top notch hackers and we never leave a trail of crime. The police will try to prohibit you from paying the ransom in any way. The first thing they will tell you is that there is no guarantee to decrypt your files and remove stolen files, this is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it is a matter of our reputation, we make hundreds of millions of dollars and are not going to lose our revenue because of your files. It is very beneficial for the police and FBI to let everyone on the planet know about your data leak because then your state will get the fines budgeted for you due to GDPR and other similar laws. The fines will be used to fund the police and the FBI, they will eat more sweet coffee donuts and get fatter and fatter. The police and the FBI don't care what losses you suffer as a result of our attack, and we will help you get rid of all your problems for a modest sum of money. Along with this you should know that it is not necessarily your company that has to pay the ransom and not necessarily from your bank account, it can be done by an unidentified person, such as any philanthropist who loves your company, for example, Elon Musk, so the police will not do anything to you if someone pays the ransom for you. If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom. The police and FBI will not be able to stop lawsuits from your customers for leaking personal and private information. The police and FBI will not protect you from repeated attacks. Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees. >>>>> What are the dangers of leaking your company's data. First of all, you will receive fines from the government such as the GDRP and many others, you can be sued by customers of your firm for leaking information that was confidential. Your leaked data will be used by all the hackers on the planet for various unpleasant things. For example, social engineering, your employees' personal data can be used to re-infiltrate your company. Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. On another vacation trip, you will have to explain to the FBI where you got millions of dollars worth of stolen cryptocurrency transferred through your accounts on cryptocurrency exchanges. Your personal information could be used to make loans or buy appliances. You would later have to prove in court that it wasn't you who took out the loan and pay off someone else's loan. Your competitors may use the stolen information to steal technology or to improve their processes, your working methods, suppliers, investors, sponsors, employees, it will all be in the public domain. You won't be happy if your competitors lure your employees to other firms offering better wages, will you? Your competitors will use your information against you. For example, look for tax violations in the financial documents or any other violations, so you have to close your firm. According to statistics, two thirds of small and medium-sized companies close within half a year after a data breach. You will have to find and fix the vulnerabilities in your network, work with the customers affected by data leaks. All of these are very costly procedures that can exceed the cost of a ransomware buyout by a factor of hundreds. It's much easier, cheaper and faster to pay us the ransom. Well and most importantly, you will suffer a reputational loss, you have been building your company for many years, and now your reputation will be destroyed. Read more about the GDRP legislation:: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr.eu/what-is-gdpr/ https://gdpr-info.eu/ >>>>> Don't go to recovery companies, they are essentially just middlemen who will make money off you and cheat you. We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars. >>>> Very important! For those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret, this is to never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations. The insurance company will try to derail negotiations in any way they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount. For example your company is insured for 10 million dollars, while negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for example 100 thousand dollars, we will refuse the paltry amount and ask for example the amount of 15 million dollars, the insurance agent will never offer us the top threshold of your insurance of 10 million dollars. He will do anything to derail negotiations and refuse to pay us out completely and leave you alone with your problem. If you told us anonymously that your company was insured for $10 million and other important details regarding insurance coverage, we would not demand more than $10 million in correspondence with the insurance agent. That way you would have avoided a leak and decrypted your information. But since the sneaky insurance agent purposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation. To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company. Poor multimillionaire insurers will not starve and will not become poorer from the payment of the maximum amount specified in the contract, because everyone knows that the contract is more expensive than money, so let them fulfill the conditions prescribed in your insurance contract, thanks to our interaction. >>>>> If you do not pay the ransom, we will attack your company again in the future.
URLs

http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion

http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion

http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly

http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly

http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Renames multiple (152) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://viviendas8.com/bb/abc.exe
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffeebde9758,0x7ffeebde9768,0x7ffeebde9778
      2⤵
        PID:1012
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1892,i,10708585726833663893,14068448107573647993,131072 /prefetch:2
        2⤵
          PID:1100
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1892,i,10708585726833663893,14068448107573647993,131072 /prefetch:8
          2⤵
            PID:4524
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1892,i,10708585726833663893,14068448107573647993,131072 /prefetch:8
            2⤵
              PID:1952
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1892,i,10708585726833663893,14068448107573647993,131072 /prefetch:1
              2⤵
                PID:4584
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3216 --field-trial-handle=1892,i,10708585726833663893,14068448107573647993,131072 /prefetch:1
                2⤵
                  PID:2480
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5212 --field-trial-handle=1892,i,10708585726833663893,14068448107573647993,131072 /prefetch:8
                  2⤵
                    PID:4304
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5408 --field-trial-handle=1892,i,10708585726833663893,14068448107573647993,131072 /prefetch:8
                    2⤵
                      PID:3032
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 --field-trial-handle=1892,i,10708585726833663893,14068448107573647993,131072 /prefetch:8
                      2⤵
                        PID:4212
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5848 --field-trial-handle=1892,i,10708585726833663893,14068448107573647993,131072 /prefetch:8
                        2⤵
                          PID:344
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5796 --field-trial-handle=1892,i,10708585726833663893,14068448107573647993,131072 /prefetch:8
                          2⤵
                            PID:3872
                          • C:\Users\Admin\Downloads\abc.exe
                            "C:\Users\Admin\Downloads\abc.exe"
                            2⤵
                            • Executes dropped EXE
                            • Drops desktop.ini file(s)
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2996
                            • C:\ProgramData\975F.tmp
                              "C:\ProgramData\975F.tmp"
                              3⤵
                                PID:3516
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 --field-trial-handle=1892,i,10708585726833663893,14068448107573647993,131072 /prefetch:8
                              2⤵
                                PID:3464
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 --field-trial-handle=1892,i,10708585726833663893,14068448107573647993,131072 /prefetch:8
                                2⤵
                                  PID:1284
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2856 --field-trial-handle=1892,i,10708585726833663893,14068448107573647993,131072 /prefetch:2
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3328
                              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                1⤵
                                  PID:1144
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:1804
                                  • C:\Windows\system32\NOTEPAD.EXE
                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\1YwR2c1YK.README.txt
                                    1⤵
                                    • Opens file in notepad (likely ransom note)
                                    PID:3632

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\$Recycle.Bin\S-1-5-21-3073191680-435865314-2862784915-1000\desktop.ini

                                    Filesize

                                    129B

                                    MD5

                                    22cd465e501d9bc31269d19d04690b50

                                    SHA1

                                    d94fba43518f91057f3e26ff08a0ce9bf6b8f5ab

                                    SHA256

                                    e0d60caa2791597d8c213473b6939d4d0db00e5935f2c917c8b12a67aaeb5c8b

                                    SHA512

                                    a4ecdc7cd3711266fd4b6cefad3d037f1d8dd2d92113f20e25c6c5597e482358b8ece17573d980224e4af701d86a5b637874eecc780fbe95ae62f77b400f347d

                                  • C:\ProgramData\975F.tmp

                                    Filesize

                                    14KB

                                    MD5

                                    294e9f64cb1642dd89229fff0592856b

                                    SHA1

                                    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

                                    SHA256

                                    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

                                    SHA512

                                    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

                                  • C:\Users\1YwR2c1YK.README.txt

                                    Filesize

                                    10KB

                                    MD5

                                    ef9fb5cd27cc162b8197a3548becbdd2

                                    SHA1

                                    e2232583c58da7ce3945208a6898028aab7e4e61

                                    SHA256

                                    b2b355fa22ae7c8573e4bb1939922c1b133eec231e8dfe51e37043a19847dd3f

                                    SHA512

                                    5dcd443d02b9d151705a7176f20bb174ba75b130fc40cd97017bcbf392f9ea47474d793b2c7414c79a890bb2e643275096ed7f6642c5ee510eade43184579a7a

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                    Filesize

                                    701B

                                    MD5

                                    a210bf41a04fd6ecdc12e750d0120a4f

                                    SHA1

                                    3b7d0797dbd766d55605d7fa0950cc2aea6c36e2

                                    SHA256

                                    2ce953d552e87824d361a937e8ab86b587cbb72ceb1d0a9e98171fa887bcafde

                                    SHA512

                                    7b7a6c3c66e5736cb929974ec1d5d881ee1ca13e7eee176fca99e2c7f04a89a1dd19f2db82db9003fdf07d872e830241350a307ca2de7c9b15f6ba7a7ce38e8d

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    7408c3479ae2bf0b5f0d98f6a3dec024

                                    SHA1

                                    87d2230b3060829f2ef889c6bd01b1402c02af6a

                                    SHA256

                                    c4805ec67eb7a6b10cbf7416786c8d6c0a19c60e376cc1ca6ea6eb46755d90ea

                                    SHA512

                                    112d6953c1eb2fc7f37fdbb9c8ef0a76f0616add4033c69c5077c15d4e3a60abc69a9ca1f3009a1615fdebc5a62a51b9f98dc79238583f613a1e234f84f1cf08

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    d59a030d1e95d1c6858ebe0d5fcc5d9d

                                    SHA1

                                    18059773b6d81b21c8e9fa0b810124564a551710

                                    SHA256

                                    b9db3e534e6c698ab2d62c402e0af6038e75a00bef66191cb0e5544ff3f09ac6

                                    SHA512

                                    b9286f27727b8e0a3000a31775affed39cce5db68f9f9ed54161f428709f48f7b1946a95602b37e5f9aa03aaf1ecdb72b58b598ae431630df4c4153fc7635298

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    af3cc2ece1a3fc8c3a8b6ca0e6d12836

                                    SHA1

                                    5fcab47d6af6b49f3ea1a8d64d1a309d05005b9f

                                    SHA256

                                    9ee0a21cd5c6789499fd74b9a6b123a833977256b5c0ecb0b1ac4a75bc3ec6d8

                                    SHA512

                                    1b9f6770aa951791b8e75e26d6d716e1c26b2c6a0055d47cdc9c050166e5363b01b696c6589b5ab225ad25d031061c1ec9f12f78f0d217a1601313907ccfa59e

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    38e8b84cafe24b982144fce3ffbfc585

                                    SHA1

                                    836e6b04f3243b56d98f63c9ba405e6a94ddfaa9

                                    SHA256

                                    04809cd49251cfe94ecff5d4078d164cfe97b95b477312f82bfa1249441a16d2

                                    SHA512

                                    9d216d1fb3bb9b522f4dfa3352af593ceac7ccc8bc4f943810c0d45a087dba8c2752a0b3cf1eb932333e223b7e324217ddab45acb1641c0dcb5d2da8aba0fede

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                    Filesize

                                    113KB

                                    MD5

                                    f272e25c2a36bd56aa5af41191b9e8ee

                                    SHA1

                                    362d97c96a70e0b937e584b8c34a53e39cc012c2

                                    SHA256

                                    6c6e4f6b4954afa820d61db6025c9a20a07f9e0de5090affc20e1ca2e3789d32

                                    SHA512

                                    7ff6f60e8609fa66181c381ce6c1468bb098e91a0b66143eb24cabfd2f3d88edd07ad703d14ec98a01901181e5bcd531e8f26d7d699aa589489c4755c057c19c

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                    Filesize

                                    2B

                                    MD5

                                    99914b932bd37a50b983c5e7c90ae93b

                                    SHA1

                                    bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                    SHA256

                                    44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                    SHA512

                                    27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                  • C:\Users\Admin\Downloads\DDDDDDD

                                    Filesize

                                    349KB

                                    MD5

                                    b53c1150ebc31c5203c2e8f3a89967b6

                                    SHA1

                                    ab78e3d53c3a2a70dd6533a2ca97f490cee8a077

                                    SHA256

                                    b46b2d4237a13ae38b81f7b4aad7fc7965007906132b5a9b65668456ce4ab5fd

                                    SHA512

                                    a1f30b12fc53a31895b3296daaa0cfaa2146be55cf281de3211bd29afea20cf81847dc145e5d2686c5996c0da75bec266ce0c3437a4d8e705363b86d6b2732a0

                                  • C:\Users\Admin\Downloads\abc.exe

                                    Filesize

                                    349KB

                                    MD5

                                    bcf0e5d50839268ab93d1210cf08fa37

                                    SHA1

                                    e999d54783714cf4d4a78c49bb7c0704b7987fbf

                                    SHA256

                                    0dd36a058705717a7d84622f9745b85277c37a07ad830a6648a01ef6e679324a

                                    SHA512

                                    7dd0bd7deaf4f4020f753c390bebaabeb259d4b3069cdfbfeb4ef6edb4d0add44f643ed43692da3b7f574a4a6eae9fa7248f3cbd9898be3d28b5ee48c79adc39

                                  • F:\$RECYCLE.BIN\S-1-5-21-3073191680-435865314-2862784915-1000\DDDDDDDDDDD

                                    Filesize

                                    129B

                                    MD5

                                    4491cbc5809fc159397444ce9f05a386

                                    SHA1

                                    e75d99023f6a61fa804992897c504df1b88149e9

                                    SHA256

                                    6451350fba81e4bfd23dedce6a5c4e35edae305fc30f6fb774a864f10865ca04

                                    SHA512

                                    bc4e5e1ec7ffbda0352eb942c220c5172b170ccf102c9fd4d36a0922d59ac868a03564645a183f93c4fc15c3de87f95e4b236b38e4c690d5090e9af16e5f3d6e

                                  • \??\pipe\crashpad_4788_DTNXMPDTTAWXMHVS

                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                  • memory/2996-103-0x0000000002590000-0x00000000025A0000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2996-413-0x0000000002590000-0x00000000025A0000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2996-89-0x0000000000700000-0x0000000000729000-memory.dmp

                                    Filesize

                                    164KB

                                  • memory/2996-100-0x0000000000400000-0x0000000000460000-memory.dmp

                                    Filesize

                                    384KB

                                  • memory/2996-101-0x0000000002590000-0x00000000025A0000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2996-102-0x0000000002590000-0x00000000025A0000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2996-88-0x0000000000400000-0x0000000000460000-memory.dmp

                                    Filesize

                                    384KB

                                  • memory/2996-87-0x0000000000740000-0x0000000000840000-memory.dmp

                                    Filesize

                                    1024KB

                                  • memory/2996-109-0x0000000000400000-0x0000000000460000-memory.dmp

                                    Filesize

                                    384KB

                                  • memory/2996-83-0x0000000000400000-0x0000000000460000-memory.dmp

                                    Filesize

                                    384KB

                                  • memory/2996-82-0x0000000000400000-0x0000000000460000-memory.dmp

                                    Filesize

                                    384KB

                                  • memory/2996-72-0x0000000000400000-0x0000000000460000-memory.dmp

                                    Filesize

                                    384KB

                                  • memory/2996-411-0x0000000000400000-0x0000000000460000-memory.dmp

                                    Filesize

                                    384KB

                                  • memory/2996-90-0x0000000000400000-0x0000000000460000-memory.dmp

                                    Filesize

                                    384KB

                                  • memory/2996-414-0x0000000002590000-0x00000000025A0000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2996-415-0x0000000002590000-0x00000000025A0000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2996-416-0x0000000000400000-0x0000000000460000-memory.dmp

                                    Filesize

                                    384KB

                                  • memory/2996-71-0x0000000000700000-0x0000000000729000-memory.dmp

                                    Filesize

                                    164KB

                                  • memory/2996-70-0x0000000000740000-0x0000000000840000-memory.dmp

                                    Filesize

                                    1024KB

                                  • memory/2996-441-0x0000000000400000-0x0000000000460000-memory.dmp

                                    Filesize

                                    384KB

                                  • memory/3516-439-0x000000007FE20000-0x000000007FE21000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3516-438-0x00000000023F0000-0x0000000002400000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/3516-437-0x00000000023F0000-0x0000000002400000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/3516-436-0x000000007FE40000-0x000000007FE41000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3516-440-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3516-435-0x0000000000400000-0x0000000000407000-memory.dmp

                                    Filesize

                                    28KB

                                  • memory/3516-471-0x0000000000400000-0x0000000000407000-memory.dmp

                                    Filesize

                                    28KB

                                  • memory/3516-472-0x00000000023F0000-0x0000000002400000-memory.dmp

                                    Filesize

                                    64KB