56aede9c30b52b3e6a36e393f433cda879bb76bd6ddcb36379d2cc6265283a11

Analysis

max time kernel
455s
max time network
457s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 09:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

script.ps1
Size

464B
MD5

240d54af8bb821a3f5dde5bf9b9d6c38
SHA1

47de343a4ec9ed08e370b5cf826d8275daf775b7
SHA256

56aede9c30b52b3e6a36e393f433cda879bb76bd6ddcb36379d2cc6265283a11
SHA512

ff3290522a9f85cd96773d2c863147b0ec06c622be9ed1afa127ba785dc9afeae7c8d170a422eb5a312e1ed793331ea86fa3a7ad2ba56a4356d365e725c5557d

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133588549052048989"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "12"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe1000000090bc7f32d697da01e0d22fceda97da0111345d04149ada0114000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2004	NOTEPAD.EXE
1588	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5112	powershell.exe
5112	powershell.exe
1084	chrome.exe
1084	chrome.exe
1972	chrome.exe
1972	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3848	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
1480	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1916	1084	chrome.exe	91
PID 1084 wrote to memory of 1916	1084	chrome.exe	91
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 4996	1084	chrome.exe	92
PID 1084 wrote to memory of 996	1084	chrome.exe	93
PID 1084 wrote to memory of 996	1084	chrome.exe	93
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94
PID 1084 wrote to memory of 764	1084	chrome.exe	94

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe3f90ab58,0x7ffe3f90ab68,0x7ffe3f90ab78
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:2
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:8
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4388 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4008 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:8
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4944 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4868 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4400 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2828 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1964 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4900 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4988 --field-trial-handle=1972,i,6511188106982344615,5256057472561668952,131072 /prefetch:1
  2⤵
  PID:4952

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4516

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lick.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2004

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lick.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\lick.bat" "
1⤵
PID:4336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2976
- - C:\Windows\system32\shutdown.exe
    shutdown /s
    3⤵
    PID:4732
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:3692
  - - C:\Windows\system32\SlideToShutDown.exe
      slidetoshutdown
      4⤵
      PID:1496
- C:\Windows\system32\shutdown.exe
  shutdown /s
  2⤵
  PID:3996

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3916055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
05c53b221506e3d51e86168bb6aed44e

SHA1
6e07375ce392e37f6f87982f997d002d77e16df0

SHA256
4f1729cb6b3a6014a6d77f377f7dd0d06fd7c3fe745bca646537206593ff1fdb

SHA512
077c2a7fd3a4d19fe88b060028c7f68c10f006dc9e39e0664f5ca17021de9fb81a2eea933888fdb1f882a123673da151ac26cf1c4b7bfe16892633ff3dcd2b0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b472eba7f2d2cf13623d7ce878089c8e

SHA1
30432864a0839273726271acd35f7384eeb7f021

SHA256
8e4ecb8bdfb2b4aabd5582f98b800bfea4c7ace08eb79fdcec3d0e23a783f2af

SHA512
365a06fa3a401a2862157606ff67b200c601c16caef8d8079628dcaebeab9c54c4c236331018613dd8860fd8a58c0c6161ccc357343e433e077e810fa3bac452

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f605a7c44f830c523fba88cf54bbfa13

SHA1
e41c01b2bcf52fcbf3ab48dd0465e2dcb37bf74e

SHA256
b5d69ed531bbca4acd2696a25593df4c9b6e75c234369729556342d61b4d0b5b

SHA512
261daa8e3ed8f0b618903d02a838b3584aa413a6f8d62e9e1fc4c9b15c40228722515b5cff62986b0cc2029a2cf40765be43b638a8d91de1b9a4f54d887ebb91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
642e04a97574a5c2172ad6cc6b27c3a7

SHA1
8e90850af1035213729afe1fa6701cac541bb291

SHA256
a7b34407a067f76262c6db50ccc264ac371e901e477eaad0aee8fe97e8d1ca22

SHA512
b9f0b97cf42f8a01ebbd2c372e889ae860de41fcc610011261225191975d029ebe8134004ec0fdd6d3f5d364bc8cb374077361913a83fe83600578dba49946fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
116af7e2864c1156b5f2f61996f6465e

SHA1
93f2e10f0040e9cbced22a68fbf6b018ac169716

SHA256
f86bc17967a910134b924af6d1b728d778f9ec4b7d5461c04577a51a7602dd6a

SHA512
105a84908b2b1bda7fb12ac24a5a636a2f17825aeacd530432fa7b192fa3d6c8eb938ef9867e3c41d28ebb8520763b6d65447d3211ba570c358080a15b16050c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
86254aef95c43f8a7272d6f593186f79

SHA1
d8fbf453cf8ccc594dac5a523c823c0c686f882e

SHA256
39d77531f8d050b183cba984e095ec7a2c3e66dac104a123e871255ace3328d5

SHA512
0999392494051badbed9aaff77e3b8198623407d594e772fbfdb03d1b613289c9a44a7c643b306d51385b60ef6871ff645a7d2f649aa7a5f80b5464be967bc44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
e630855e066bed16ec8b2df3802d88bd

SHA1
d80d76b66daf6665401faf399633bfda2a3baa29

SHA256
a40e99bbcd1536532d01a31c4b6ae3727bf392f2def2b610d44426cb43d7bb4c

SHA512
75aa7a00bb82ecfe95441298ba37f08a9def86017b9b59958e10a0413dc8e23f003413ee38b3161c8ad2f1e8dcf1705a2d31b903f88e234479650eee6dd479ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
cf7c0cb273d01baf4f14cd7cf46fdaa3

SHA1
e620149d43140fc752ca929e5e0f017ba089403d

SHA256
97baa3b300521db2ff7e4056890f330ba068f14f4b7c271d43771baf2d8ba304

SHA512
e69febd6ed709f23a4f020627f0b7d1c1756b9578abb77b4a7ef86041bb993e2c01b35480850f0ae626608ae13d35822e399039ed254a875127119e070b7f21e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2fc379012d124c268963aed88edb0a7c

SHA1
4d301a5ff4b99b16758a621ba91a7798dfb88179

SHA256
6229fc2c6def4798bb2c2dc70e13079d4230f0bb063f720ae6c092260e1f73f1

SHA512
51faea73b5c41dc21cd58ce6cc11a163b587d0a7c007e9c0716df0001e0d7ef241ad3debc1bec651ce2f3b1c4c5bcd740fdbfb9868436844bb2bfe98d77d840e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ea77c254d8ef127b4cc9fc8a3d95d0e4

SHA1
3a58d537b63139eff5b8f220fac332429ac8109a

SHA256
1910ccc09737ac814b7a1516e647f42694cccfdaf8791c6dfd897f95b310dae8

SHA512
b7608fd865a8ff6991b60a89ceecaf9e232471f9e052859ef21a64356780536d6d98dd47e358df2ee0d4a58b3d792ae0efe61a32206cb3e9d551eb1dee312c98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dc2627e7d68aa1fb83b03fcf7c59b07a

SHA1
9da2689e75a979ab59845ba1b046a07c62614678

SHA256
641579b7b84332f7f4d65ee1dd36cbf50ddc84fe3b0afee5e438b43ea419e0f5

SHA512
f992ce1f08812a4219e1810b1a776a0983b75780703a21e10376ac1e0186ecb55b81b56f9a9c784c95242ca4cf5dc02fa71feaa44ca4eaf70c12c5fa966e4a7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ec3a259d1b09fa68ef5fe0fa2dad49b3

SHA1
ac5d479d8fbb0a1e617eeefeae4f05ad80c5a314

SHA256
b5e167a4ab38b2d49f82cb3eba38b870df22bbdf023de20b9092a2b2b5b2dc9b

SHA512
a2735c8fce0234026ae3b5e5ee62268e6ceb698c0d83708554ef848834a077a59a34c1c0e78efd488296aaee42d3918c3fe82c8e625ba9f8d70b222fe25022f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
966b94fe360cf19796897627f03c0f76

SHA1
6851bd622fd670f898e68c0291c7ca493d0094a6

SHA256
eb1811e55439a3af21520c1b57584f0d7e775f862b5c56e63528d0efaa128605

SHA512
e7866311d6b9ebb74f1da714808c5ab05ad222dde417b95fca3a33d8a2ddf5e12b1679072a4775c31b0d436d62cddd8a22d587aded2381124f9e3e80532809ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
d9177f993c92769697b4799e8b568a2c

SHA1
0db4040e0b73a60d3f2afd52eeabe577c0ffbb16

SHA256
889b6047b42acd3296dcf65700d96a7f5b5a1352ae4d507335dfd36e5e74f561

SHA512
b9cb5260a0faac2152b153b0f4ad49b208ada62bcd99e5d09146e9f28eadd0f43e57ffe020c00d1bc6264e7d8e434fc25920423f141592b90d4dfc0bca83f4c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
271f7fb653e6a2c06495f1f7681513bf

SHA1
85a36769395fccbfff1afd6761827b721a33e3fc

SHA256
801c8b24ac4ebaf3e0ccafdb325f10f61c752c8ad7596d30c84473aa2a27b24b

SHA512
9e536452b7bc09b6822e6419d4fea2ca586984f79e58adec455faac57873c3bbf92eeb935843a1d70f4646373de52555d90df51e292d8fc0ac47ecfeac163b45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
35b886cf726fb825300259b4d8c5db68

SHA1
a46a23acbc64049848cc67b36732abe1c59fdc83

SHA256
08dfba13abd7a4e055c023961c383e5974e1119708f1b74a13e060e9a259326a

SHA512
930c0042a2a54c027dc898ac2794089686bcb0e331e22516b892673371bac92d8d45d79b264bf1fe5cc71b06e255bc51704f26323f6bdc71852a2fcff178424e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yxwomdtw.2xf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\lick.bat

Filesize
25B

MD5
57e845841a06b9a342faec9084823629

SHA1
24942c02a8a3ba30370793dc7ab2f296381ad6b0

SHA256
10be2232fea617b31eccdf3513defe0cdd69f71148c0373e46f26c9c0abc674b

SHA512
4710bde438438a1a6620e5b5c376adf7942e11f9ae66a87ca15149b40cd4e7e9c59bd2d775ce4465840c4c0bce68babd2d3ccbda0931151fbb0d61af902a1afb

Download Submit
memory/5112-0-0x00007FFE3EC10000-0x00007FFE3F6D1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-16-0x00007FFE3EC10000-0x00007FFE3F6D1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-13-0x0000017624B90000-0x0000017624BA0000-memory.dmp

Filesize
64KB

Download
memory/5112-1-0x0000017624B40000-0x0000017624B62000-memory.dmp

Filesize
136KB

Download
memory/5112-2-0x0000017624B90000-0x0000017624BA0000-memory.dmp

Filesize
64KB

Download
memory/5112-3-0x0000017624B90000-0x0000017624BA0000-memory.dmp

Filesize
64KB

Download