9250d82221692369495d17800c08a5ec57080cb1bb9c4e723bd8095a49863427

Resubmissions

18-05-2024 21:40

240518-1jlb1sha9w 3

18-05-2024 21:37

240518-1gre9ahd92 6

18-05-2024 21:34

240518-1eqe6shc84 10

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
18-05-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RANSOMWARE-WANNACRY-2.0
Size

239KB
MD5

08c03506d6bd0ea8aae4a22355ddaed0
SHA1

a4c30796cc4999c77516b534e45c097cf0a2f7c2
SHA256

9250d82221692369495d17800c08a5ec57080cb1bb9c4e723bd8095a49863427
SHA512

6828996dbcf8f804f54e2e0bbbec101d41d6c30264191b35e4f4b8196994b512cbff4d45ab9151a6c44fc4ebf5e88ba32599bb591e1997121cf77c30ad1f125a
SSDEEP

6144:m2QG52n9ddKM2vkm0aWyRv3f9KvZJT3CqbMrhryfQNRPaCieMjAkvCJv1Vi0Z23d:3QG52n9ddKM2vkm0aWyRv3f9KvZJT3CU

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

38 camo.githubusercontent.com
43 raw.githubusercontent.com
43 drive.google.com
73 camo.githubusercontent.com
78 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
38	camo.githubusercontent.com
43	raw.githubusercontent.com
43	drive.google.com
73	camo.githubusercontent.com
78	raw.githubusercontent.com

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133605419166804163"	chrome.exe

Modifies registry class 6 IoCs

Processes:

OpenWith.execmd.exeOpenWith.exefirefox.exechrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 2 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.md:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\NoEscape.7z:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1164 chrome.exe
1164 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

2096 OpenWith.exe
3476 OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	process
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	960	firefox.exe
Token: SeDebugPrivilege	960	firefox.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe
Token: SeShutdownPrivilege	1164	chrome.exe
Token: SeCreatePagefilePrivilege	1164	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exechrome.exe

pid	process
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe

Suspicious use of SendNotifyMessage 39 IoCs

Processes:

firefox.exechrome.exe

pid	process
960	firefox.exe
960	firefox.exe
960	firefox.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe
1164	chrome.exe

Suspicious use of SetWindowsHookEx 53 IoCs

Processes:

OpenWith.exefirefox.exeOpenWith.exeOpenWith.exeAcroRd32.exe

pid	process
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
2096	OpenWith.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
960	firefox.exe
1120	OpenWith.exe
3476	OpenWith.exe
3476	OpenWith.exe
3476	OpenWith.exe
3476	OpenWith.exe
3476	OpenWith.exe
3476	OpenWith.exe
3476	OpenWith.exe
3476	OpenWith.exe
3476	OpenWith.exe
3476	OpenWith.exe
3476	OpenWith.exe
3476	OpenWith.exe
3476	OpenWith.exe
416	AcroRd32.exe
416	AcroRd32.exe
416	AcroRd32.exe
416	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exefirefox.exefirefox.exe

description	pid	process	target process
PID 2096 wrote to memory of 2984	2096	OpenWith.exe	firefox.exe
PID 2096 wrote to memory of 2984	2096	OpenWith.exe	firefox.exe
PID 2984 wrote to memory of 960	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 960	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 960	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 960	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 960	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 960	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 960	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 960	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 960	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 960	2984	firefox.exe	firefox.exe
PID 2984 wrote to memory of 960	2984	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 1144	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 2336	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 2336	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 2336	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 2336	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 2336	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 2336	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 2336	960	firefox.exe	firefox.exe
PID 960 wrote to memory of 2336	960	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0
1⤵
- Modifies registry class
PID:2948

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0"
2⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0
3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.0.1183494704\2031410415" -parentBuildID 20230214051806 -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {341fb07d-78ee-4511-811d-17ecdcc10fbe} 960 "\\.\pipe\gecko-crash-server-pipe.960" 1764 23c4e72dd58 gpu
4⤵
PID:1144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.1.2013561879\792103407" -parentBuildID 20230214051806 -prefsHandle 2396 -prefMapHandle 2388 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f94d57d7-2554-45cf-9372-081c540fdb2d} 960 "\\.\pipe\gecko-crash-server-pipe.960" 2408 23c41888d58 socket
4⤵
- Checks processor information in registry
PID:2336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.2.857108594\1510645050" -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 2948 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3589e78f-0752-478a-b28e-6620e5cf68a9} 960 "\\.\pipe\gecko-crash-server-pipe.960" 2964 23c5151fe58 tab
4⤵
PID:1236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.3.1991425383\1268912353" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c9c8dfe-4939-4649-8cc5-59b0279679df} 960 "\\.\pipe\gecko-crash-server-pipe.960" 3572 23c54115f58 tab
4⤵
PID:1684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.4.1574692312\399017685" -childID 3 -isForBrowser -prefsHandle 5304 -prefMapHandle 5284 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc36b314-a15b-480f-87ad-c729f28d1a3c} 960 "\\.\pipe\gecko-crash-server-pipe.960" 5312 23c560b7f58 tab
4⤵
PID:4156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.5.322902726\1237213724" -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 5292 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4cdd1ac-132e-4056-a060-1754c2633647} 960 "\\.\pipe\gecko-crash-server-pipe.960" 5448 23c560b5858 tab
4⤵
PID:3360

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.6.1972376646\1182099781" -childID 5 -isForBrowser -prefsHandle 5628 -prefMapHandle 5636 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e45b269-b3c4-4f65-89f4-4c4aaf7f7cde} 960 "\\.\pipe\gecko-crash-server-pipe.960" 5620 23c560b5b58 tab
4⤵
PID:3308

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.7.1676384137\580054265" -childID 6 -isForBrowser -prefsHandle 5824 -prefMapHandle 5496 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c35f479-28c4-42dd-a8de-d6b4d6086681} 960 "\\.\pipe\gecko-crash-server-pipe.960" 5480 23c55d99b58 tab
4⤵
PID:4808

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="960.8.1631015471\1602377947" -childID 7 -isForBrowser -prefsHandle 1632 -prefMapHandle 1608 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1200 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33f60966-b197-4fd0-a1a3-c89bddc1ff6e} 960 "\\.\pipe\gecko-crash-server-pipe.960" 2612 23c559ae858 tab
4⤵
PID:3476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa11a6ab58,0x7ffa11a6ab68,0x7ffa11a6ab78
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:2
2⤵
PID:1084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:8
2⤵
PID:2504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:8
2⤵
PID:572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:1
2⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:1
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:1
2⤵
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4436 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:8
2⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:8
2⤵
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:8
2⤵
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:8
2⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:8
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4988 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:1
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4992 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:1
2⤵
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4448 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:1
2⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3192 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:8
2⤵
PID:912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:8
2⤵
- NTFS ADS
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2472 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:1
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1508 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:1
2⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2796 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:1
2⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5580 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:8
2⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5596 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:8
2⤵
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5140 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:1
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 --field-trial-handle=1828,i,10131370413948117755,10969256875210878606,131072 /prefetch:8
2⤵
- NTFS ADS
PID:3552

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:792

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3476

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\NoEscape.7z"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:416

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:432

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=055636D2ED86CE71DB5C6C34898BCA33 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2796

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EBF2EF245606202607CECFE61A9977F9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EBF2EF245606202607CECFE61A9977F9 --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
4⤵
PID:1628

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=25AB04896F2F53AFCBC3654B51A37861 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3a8a938f-cc52-408e-b460-ef77197abfb5.tmp
Filesize
259KB

MD5
31593e613bba59ad5222be68ebff2880

SHA1
bb8562e454937067400ee077f13a1344904bcff9

SHA256
f1b5956170e61f770229ca312ec67596ff139dc45aa134a3faf8dbab8f0d5696

SHA512
d61578e90fc8aac10f80869fa1228c06f2942380edc227d68743675cd11262c12b3a8e6672b893c6d222bbc6c838dcec18fbd32fa5f2e95c447f5e766d805267

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
8d0166b73d5e1c047152a176ede6d22b

SHA1
b69a552b07cee4e721b414fb10cc42a0dadc762d

SHA256
9fce7ec3e43fae1dfc2b2963c306609d1ba6976803c2a8b283ea918bf369dcd3

SHA512
a7dc8fc4c0475fb46d9bf4270db5c942fcdab1cceeab374f07cb3183deedcd443413703300ccab3cc3e47f9840f0b8a2f0b7de1cfdb253d31866e252706a5b3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
13b7d6882f019a5bc9d7b6c2b002f75c

SHA1
fea99d9fffa8115f793af2ec47935bcd45e1d327

SHA256
d8243bca742cbf6663ab7ac9a1f44b90e97cc28cd0b22033ce175f718a8e807d

SHA512
09a6034abf9137e41fde48650f0fcfab24889971c578b0496f6006ab93f9ea36182bc83cb896b6a3640672f923d37c386df64f8b8b060c194dc1a309dc16393a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\063ebe98-30c5-4b0d-a14e-6f432250d6f4.tmp
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
1cea370a58402cc11e1676ce1a5c59df

SHA1
deae0bc6e812cc486fe3d8384f03e14607003120

SHA256
6fb8588571266adee4f029c12fbdec37886a4d340e08c473f0bb3a25bbb31d6f

SHA512
cf1dfc0ae9aa90dd5275b471be6831a12eb71fc99212a91a98b3c884ac17ecee8569221c2102b8bb1f6a0fc17fac950e7719a0714bc01bd70114e9c55bb7ff94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ce5182c052651d1b0369b59857dd4476

SHA1
f200279256985f67c826adb73674154dd9dac3fd

SHA256
7f578ad4ebef08132115e7ede9ff44041df57341115891acfee50303e89916c3

SHA512
4ac805ce3e5974146c70532986df1a2df3fee3d99a3a53f9ffb0ae407478f89aa6aaf51f2fdf7476c1acc86bc5aec28fd845a42930b89cd91cbe6e1d80531ebb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
146d2dab763186f60ea3f74482f0dbe6

SHA1
cc891dc8c321a51dd39d188f790d9b3221efc6df

SHA256
83a4bac635c3ae4d4640c64dfed7385b234ceae8263f1821644a1dfd53ebdb0d

SHA512
7ad7032831e143d5d6518b602a4d1bb418cce6f8d900306980a48b7ad2fdf0fe90d6d22acdf177f63cb409ab4ed85502711ccc8406e1b76c1327a07628b22099

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
0d576d4940ae16ec374a66c77e623324

SHA1
05f354eb68c6f9a9dd0a149af6664e765a18bc5a

SHA256
43cb366627e8e67d73d42346d60528a884e3c06e546b950ec9ba2e02923494d8

SHA512
96e59fc7ab49a49582c6537df056ac873e69f0bcf31d08d10ade0f80c732f899b9c566cb935e906f798687ac2e8a15dbb382ad1d0747a0b6d1e9a5739a3d2578

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
3524f91f9a3b120e5287ec9f00596c0c

SHA1
98ac9ff2f01bcd8ee118207b0543b168c1473a99

SHA256
c8cdf41cd9edba7550583349e529da84db564339f1a7f90898e4b1c1d6b711e6

SHA512
0d556ff9c47c8d232c842f1d65de82c6030efb59aa1d9723cd1183ee1729b37627d296abb5c6bd4b683e52324ba5424a57159a9d5e10e988d8e5c3642b7f0fe9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
5e7cf694a5760e2557c3669295ecedd6

SHA1
5a0fca345490c820a2f632d4dc41f1821f7d0668

SHA256
d1287ce8769e2af709836cdcde7cedf0bc44a10d1cfe13f203d652d7038daa01

SHA512
7b23e838d11a43537974e6b0fbc0506fe336304454bf4d450c957d73401ffb131c75069c42f76d629433a2bdf7ddf59fa610623d8ba8e2bbe99812c87d7a4e89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
24616ef7955eb279a720bbcc8b330481

SHA1
1e9452fe07c62e55acf8d9d416dff61f51721be2

SHA256
3fd1247d0e998e3ec26d58a014c320ac2b95cb7f437cab828cb37362861d98d7

SHA512
de6c77a9c33d6b45b88864c926893009ca408eec39a6f0b6e1bfea7660d6e37cb51d526caa68e568ed8c3e121be0e50799d2fc890c06e1c21a5a6e3e13ffd815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
42abc24df1bb91bf59c9fb838d14b508

SHA1
4d60e7c4c49d57dfcd96fbf5d46087ccfd1842da

SHA256
52c1c259f8abeb2c2110d5a20d95828b9907e8d5ab6aee965f3fd6a54651089c

SHA512
5a48a736475ea082c5120a939089b2a049df42302820182993f136785d0eed0a64399cfc54177da1b80c26daf44b185725f5045bde7351615a1e6a52f6a19f59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
0cf1e8a565a7f2795d763b853ab7baed

SHA1
01a460f33e158702050a6cfbe186058a23e7db1f

SHA256
f8c1e7f952685300cd449fe4002c4302d25d97b679d22a0d6528eb5b9b2fe1c7

SHA512
7a4f6f65ab1f25576fecbe08197b5e0c11321e0c116a006c8c0ad11f45aafe081f7b174077dfa7e2da22c4b7eb1f6d0685206a7e43d06852fa0aca97afc26ca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
9fb396c188af4ce74a4df7abd234334b

SHA1
a2dfcdad1870d3a716aa8280c466e724ab333ec2

SHA256
e479af73b212faa27545f6173df742cf287ddf1e5a3622f26cc1a3c5f58bf2ca

SHA512
88d3426ab408aa92252687684a3ab24e57ec4c445c1737835564fb22fe27b5da0929d73f2c81a6336622cbe4cd95172b81bb09350fb1977fc2931165306f6e8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f988d3d6d199600b749a68b12cb5618f

SHA1
7710e112a0f3ef4e9b505a94ffed80c943ba7c5e

SHA256
3f19a7a221aff7469447c872a1ff1ec978a18b2911bbdfe443332fdfdae726e1

SHA512
9841d0876d9434e4ae88660b52394ee3cf7cd5d7566ab1fef8ac3bad7df29c81ada338fc81bdb6f4991e02e0d5ffe5be469641c62a4bf47501488f84e732579c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
ed932e3b2c6f66d0c0b66182aef0e93b

SHA1
9373cd7c52dd8331004228d8d8b4df733774eafc

SHA256
457c18c70c52056413e88cce0aaa1e5fbed41888cfa4cde86a72151dfd7af782

SHA512
2a7fd52538be18595bce76c904c10c325ca79f590cd71ee85967fc869199dd5b45e7bee01137956fa231f16dbe38fae46846b1998e1a3a77d9218e264dda8865

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
6f09f2f2189e24e05cd6049d417c0be8

SHA1
bb4de82db29ea50d693849b8da3f2e581df9e995

SHA256
1715e30a6e3e0ce1701650feea41f93032f0a5c06c1f24b87467e08eb9e9d2ce

SHA512
c0236e3b9eb0d760f5cab8e39dba332be6d4a47d0109ffe7846d2927ae040a5fe8a9aa0c05ac64b78ba7de67ac886ed8952e1f46c03a73e03ac29e745f58d940

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
7f637e465218e762312d20cbf9b8624a

SHA1
dc1e6bf6a7dd7e882d2e1d3d29c7234b2c418654

SHA256
128a60ce7eef2e4623690c747de44ea9eb9f27b38a417485a6dc52cc71da015d

SHA512
2edf9987704a18adf94224b2247e8fac89566f4275982b810de1bc46e8ae1e6d919a7077d4d694682f9f48b4fc0dbcc652f80b82c9150aa511212b3438ea2c3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
259KB

MD5
501ea766f2d2647047b29c1e5e0222d0

SHA1
90aeeaade55d1eec7debf738ecb9548f1ff7cecf

SHA256
c1dd95bf34be96ff34d9d724df963a967714cc73dab34cf0db8d15003c1e3a9b

SHA512
826243bf6d4d7def8fbdb9e1dce8c3d32e051d9ac7d052e87c7f5823407b1283186b91f4915ac0240c8cec7767852335369d70efab5ffbe52b98f3e256fbe382

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
259KB

MD5
347bfcbf71f7b2191a2312c9c0a81b70

SHA1
d4d1efbe9c16f4d30b17766fa46511a075d93a60

SHA256
a732675615c5f992b59857a04f12c861344a7fc9855b64d70807f550b724b1c8

SHA512
bdd1fa33c84c4571faaedfe13175ef8b91e6e7fd155c8497810741ee667a509e30d1a04d897465ef967b6e9570b6be63b0d4bc8007fbc8076e677a242e7759e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
94KB

MD5
f00a1227e665db5207164dcd4e2cc4d2

SHA1
cabe83aa9fc30ad686ba1905ca46bec534bf7f2f

SHA256
af02c66b2c20da7c969bac38ab558e93cfc89bfc15338d6876f710c2dc942c06

SHA512
c13199c1513c08535271b6b0f7daaca8813347d80d326f70e582b5897023d1ef3232c69a8d225d2c1a3b2de19b6e805d7c089459739e76d0ea62323868201920

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe588519.TMP
Filesize
83KB

MD5
015bdaa15ac69e0c53130e9c8d1cece2

SHA1
b9e878b716f95e80a13b2cd4b933bfdbe1bd0ccc

SHA256
cb69e6c99c8e4c38e50dc43bb4aae006b3e978fa3d81d5c52e4f5ee78ef44d0c

SHA512
e3f0539881cbf4c55772c2fb21e686d62faef454b3ce7733142aa83b63d09e4f818fbd714ab84496acf5eee10ac36a25b9835eac7d958579a0fc305872b9862f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3qvsz39p.default-release\activity-stream.discovery_stream.json.tmp
Filesize
26KB

MD5
267fc2437a0fd3d27c3fdf3d8facec64

SHA1
3d52561848eeea9557bd621c3ea6c23e59459184

SHA256
e43123c9ae79f0856269e9c4acc0eaa7b56b2d336c4dbba369ba7d5190a617de

SHA512
727ad40c6a34431bb8db56403fe494daaaa8c9a40cf0ef236ab0e1b1314ce964ee47b140b52e7077c71771eac4a8d1cb11ffe7660d596add69bf0ebe25d7e665

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\prefs-1.js
Filesize
6KB

MD5
188db5a2ea2da2373eda2a5bb84d6070

SHA1
c62b0a89ee5de37be37cbdf4de9ce70f63a74b27

SHA256
327574f4e4e3fb2b4a48db0690a18ab2b91ac8e344bada810eaa3c0e2d1b07fa

SHA512
992833bc7c5d5a055d6d3232afd2e3619030ecff18b891be7ae36968e6cf8c79dd24a026254ae21e3b40890e12016060b501fafe6c138dca16ee1e7dae1eb59a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\prefs-1.js
Filesize
7KB

MD5
867722c145151c20e3d25a7811baa45a

SHA1
4f3073a62121830e274bf03449dcecef95f63284

SHA256
e2c1d2379ec0e3cc8ce1c74dc78e3fc0ec6f6292e5256e5494c3c668ff640cc3

SHA512
f915544d4108fafcde8ad36c5a9f4d02fbc8e2227af0d1cdb27b973144c3cebc75e0a994b24ef109a8ff33da21b684afe5fe87293c447a92056b7ee5adf22488

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\prefs.js
Filesize
6KB

MD5
ca2189e06115b748b235824e277dd2f9

SHA1
e90924fc26e5dccf26c83f86d51e9d0312da7dcd

SHA256
907a602f71bd8beddd34eb8c83d320c6c04b664c8b64ab943bfa6b24cae87b1b

SHA512
b0594877041f22ed4fefc584615bbc20c16320954d684a4f6e82bd578c15bd092da3d8a04728bc8da7e1bcb37288251fd2f89a3244bcae1a9214514ac0951077

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
54d363ef49c25bab01e7529672b74195

SHA1
55b135b415ba491a6502a1101a0d5fa44bd3ada7

SHA256
7f5084b01f032277b69811578fa7d59854b6901ee4f5df6e11503290dbc8e641

SHA512
612cc737c59337d3d355ebeea51fdb59a3c9aa20895a3f94ab25a7c5a352118f4758d754385996a27bfc636a9570c22f23f31b5399c6c3e130651dd3ccee90ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
2KB

MD5
bb80bbdebf3d6480a01c56179dfb1546

SHA1
e99154a954b27f50c762035a9e2b40639d096f4c

SHA256
7ebd5535436ed056080c9d829812939c355481cee815697b756e0126c6f19a23

SHA512
49639635d5af6989aeb1be4b6879000c88e418a11ef9de11af343dd8c2f2b63be1941a752a9f2fa548a85801cb18c268645f39e0c0b51a6f9d32e77766f7d208

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qvsz39p.default-release\sessionstore.jsonlz4
Filesize
5KB

MD5
0a2c95f649448f45cab163f1fd5bca47

SHA1
3c60dcf97964f964ac641cc8d4c8074b54538d74

SHA256
1de5bf6c70dd06599613d1b97f58fbb8ae0e639468d2684af431c783e4076176

SHA512
49adf80ffba58afd1c767925e994cc3c44f681a506b9fb0f2c6a7f839c0b49d1c23e15ba36a36a7abc9f0278e7ab20fd1ef1d41194148751d97f5eb68fe399bf

Download Submit
C:\Users\Admin\Downloads\MEMZ.md
Filesize
549B

MD5
d5248f78831dad69e79c9f2705f8a4bf

SHA1
dbe127c7176740870106216415f106a698910a77

SHA256
e358aead9429834d1274139dea72e866d195058aed8e2b1a5756e24138b62293

SHA512
795d0025a1439869c9ebb159371c7a820f5d8bda8b580cba827e145a9fef6bfefe3ba9e39478d7a0a9ef35edd0d37be771bf8bf1d1c4995345e340a808454703

Download Submit
C:\Users\Admin\Downloads\MEMZ.md:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\NoEscape.7z
Filesize
617KB

MD5
633348e013a0f26636692f4fdea9814e

SHA1
06fee52d37c5f604dd8c38ba1c13c9c4fe503f8b

SHA256
0f3338d8ac521cc76377539cb7d2fb4ae724e9e88ab6cc469017a481c3ff466b

SHA512
37064d02b8a6bc713088fbe0f72b072eaf4d9a24e99368799d0a63f332475a8a37d441591e01f1ff40cb6773a4c278f87f91dda663a30bee5bc9d88c5e1c88d0

Download Submit
C:\Users\Admin\Downloads\NoEscape.7z:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\crashpad_1164_GBRAUIAHXPNSRNBW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit