Analysis
-
max time kernel
519s -
max time network
520s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
20-05-2024 11:24
Static task
static1
Behavioral task
behavioral1
Sample
1.txt
Resource
win10-20240404-en
Errors
General
-
Target
1.txt
-
Size
31B
-
MD5
7bf03ee373d7b9c51be1f4d5660d48c5
-
SHA1
cfaa36642ace2c88f8e1f0ce13ddd74fbd8ff7ae
-
SHA256
0dbdeebf8e5a72d7d36839c711058954f4daabfb74ddde08bc65cf407d9bdb00
-
SHA512
78631bcd0210195d9330457ac57f1c252530f36d0bf204794f39bd6069ed88b35016cdf4d30fedb826b5f264f0c2544bb9e7640fbfdd727224223a8eba2a42ff
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___QFRW_.txt
cerber
http://p27dokhpz2n7nvgr.onion/54F7-C363-D27F-0446-9673
http://p27dokhpz2n7nvgr.12hygy.top/54F7-C363-D27F-0446-9673
http://p27dokhpz2n7nvgr.14ewqv.top/54F7-C363-D27F-0446-9673
http://p27dokhpz2n7nvgr.14vvrc.top/54F7-C363-D27F-0446-9673
http://p27dokhpz2n7nvgr.129p1t.top/54F7-C363-D27F-0446-9673
http://p27dokhpz2n7nvgr.1apgrn.top/54F7-C363-D27F-0446-9673
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___MNVR7_.hta
cerber
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (1126) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 4360 netsh.exe 3360 netsh.exe -
Drops startup file 1 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ cerber.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 117 raw.githubusercontent.com 118 raw.githubusercontent.com 152 raw.githubusercontent.com -
Drops file in System32 directory 38 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook cerber.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
cerber.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp3660.bmp" cerber.exe -
Drops file in Program Files directory 20 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\program files\ cerber.exe File opened for modification \??\c:\program files (x86)\excel cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook cerber.exe File opened for modification \??\c:\program files (x86)\outlook cerber.exe File opened for modification \??\c:\program files (x86)\steam cerber.exe File opened for modification \??\c:\program files (x86)\ cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\office cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\word cerber.exe File opened for modification \??\c:\program files (x86)\office cerber.exe File opened for modification \??\c:\program files (x86)\the bat! cerber.exe File opened for modification \??\c:\program files (x86)\thunderbird cerber.exe File opened for modification \??\c:\program files (x86)\word cerber.exe File opened for modification \??\c:\program files (x86)\bitcoin cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint cerber.exe File opened for modification \??\c:\program files (x86)\onenote cerber.exe File opened for modification \??\c:\program files (x86)\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\excel cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote cerber.exe File opened for modification \??\c:\program files (x86)\powerpoint cerber.exe -
Drops file in Windows directory 64 IoCs
Processes:
cerber.exetaskmgr.exedescription ioc process File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook cerber.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam cerber.exe File opened for modification C:\Windows\SysWOW64 cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\ cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin cerber.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1060 taskkill.exe -
Modifies data under HKEY_USERS 17 IoCs
Processes:
LogonUI.exechrome.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133606780607999877" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Modifies registry class 3 IoCs
Processes:
firefox.exechrome.execerber.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings cerber.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 4904 NOTEPAD.EXE 4908 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
chrome.exechrome.exetaskmgr.exepid process 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 5052 chrome.exe 5052 chrome.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
chrome.exepid process 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exechrome.exedescription pid process Token: SeDebugPrivilege 4900 firefox.exe Token: SeDebugPrivilege 4900 firefox.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
firefox.exechrome.exepid process 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
firefox.exechrome.exetaskmgr.exepid process 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 4900 firefox.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe 1596 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
firefox.exeLogonUI.exepid process 4900 firefox.exe 4584 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 4684 wrote to memory of 4900 4684 firefox.exe firefox.exe PID 4684 wrote to memory of 4900 4684 firefox.exe firefox.exe PID 4684 wrote to memory of 4900 4684 firefox.exe firefox.exe PID 4684 wrote to memory of 4900 4684 firefox.exe firefox.exe PID 4684 wrote to memory of 4900 4684 firefox.exe firefox.exe PID 4684 wrote to memory of 4900 4684 firefox.exe firefox.exe PID 4684 wrote to memory of 4900 4684 firefox.exe firefox.exe PID 4684 wrote to memory of 4900 4684 firefox.exe firefox.exe PID 4684 wrote to memory of 4900 4684 firefox.exe firefox.exe PID 4684 wrote to memory of 4900 4684 firefox.exe firefox.exe PID 4684 wrote to memory of 4900 4684 firefox.exe firefox.exe PID 4900 wrote to memory of 2556 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 2556 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 4124 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 1544 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 1544 4900 firefox.exe firefox.exe PID 4900 wrote to memory of 1544 4900 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\1.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.0.2070165283\526465517" -parentBuildID 20221007134813 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea8c7b5e-8c56-400e-84dd-f5bc94df6d7e} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 1828 1f97f9d5558 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.1.750120776\185935291" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32e5a6ae-7e83-4e07-8b19-14e2a07ef491} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 2184 1f976c71f58 socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.2.1689989008\1639025445" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3012 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b6f479a-a836-40f2-834d-5ef10f6dda57} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 2672 1f90d49be58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.3.750459469\768419706" -childID 2 -isForBrowser -prefsHandle 3380 -prefMapHandle 3372 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c69e1473-fe63-4aa7-9a01-6712cfae0459} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 3396 1f90b8ce558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.4.235066343\1039926147" -childID 3 -isForBrowser -prefsHandle 4300 -prefMapHandle 4296 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c2ed709-918f-4ae9-804a-2adfff8dcd2c} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 4312 1f97f9d6a58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.5.81534900\748311843" -childID 4 -isForBrowser -prefsHandle 2548 -prefMapHandle 1608 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abed3797-8117-4d34-926b-2a5d2a039a70} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 3852 1f9103ca058 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.6.1631582472\621661956" -childID 5 -isForBrowser -prefsHandle 1684 -prefMapHandle 1600 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9ceab40-b9bf-4a30-beef-420435e20497} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 3796 1f9103ca958 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.7.450264671\457625397" -childID 6 -isForBrowser -prefsHandle 5052 -prefMapHandle 3852 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b9ff875-c897-4bac-9c31-be709a02ebc7} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 5320 1f9103cbe58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.8.1666809386\1898732801" -childID 7 -isForBrowser -prefsHandle 5588 -prefMapHandle 5584 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5b1dd41-2adf-46fb-b8e8-5d5ac22f5460} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 5536 1f9113f7858 tab3⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff98e749758,0x7ff98e749768,0x7ff98e7497782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4448 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4780 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3860 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3052 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3092 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2988 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2484 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1684 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5468 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5616 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5664 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4768 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 --field-trial-handle=1804,i,17698346448420852018,990439841960994639,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___6J25WF_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___EB396DM4_.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "cerber.exe"3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\86fe2e63057f4dc4bb245e04e6a22d8c /t 4680 /p 24881⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aa3855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006Filesize
69KB
MD5805d4fdfc3d3e5ddd5391b8f361fa519
SHA15425f05d27964bc57cd879e16914bce5053ec743
SHA2563924dabf7b129ad34cdd665768bff84c6ffa449b942cab5df2e30b0ea9efb659
SHA5127a64df530a77faf100ba32d9cf82ca5d57f6f11f40a1e6688d695d3b726b807b6f7e34853fb2b7ecb30c137465618f09077031f42b24eb80ee90ab5c3a0bd8ca
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007Filesize
325KB
MD5a9ff8365ba5599a81243476f1a1feddc
SHA16b773a4aa592cf016587f2012f609acb9d8f3268
SHA256c0202ec0d178205cd2cfabd7aa7c7b82ad484cc5254c7ac153cc2cacc567d9d1
SHA512cd7bc03b7606e88c1a57fb1f48c71206b62274558118a293ecb090dbd8cadf688c09ca6477b2b998840a40c97d271cd74305d3b9517358752bc3a028094cbd39
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008Filesize
141KB
MD5c08561b18d252f9a9528ccda1442ae2a
SHA17be97d70e98aaef31b74bd4f6fce72f1b6808de8
SHA25612927070a0fe141a24fedb2ef7d706ec8813e7b86af3ac609c6825679688a988
SHA512f38f2dec5137d96a049f073a14af35bb3c3cb84d2d277da697ead00d00dc9ab614c26c6cd2d3bd60868db204cfe32da63bc1271a65653d4aabb5ee2dca030d82
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000fFilesize
248KB
MD5b02ef75ee171dd46cd7e85950804be49
SHA1a1283c9e143ce18f1761c8b9c106cca177b2398c
SHA2566a447f99e3386e4203cdfdb66938732f1328dba895666a2918e8994cf2d2c073
SHA512e2b79cfbfebde40065a345a1013005048a32520ced0a9ede828937ef679e253c69dee52dd8b675a9182720d520cca120b7e6425db3749bd6f50b9388d7fa823c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010Filesize
160KB
MD5509dc4b02eb8ee84785158902b34aaf0
SHA18f71d6b7aa6ee0171f14d35198f694586dbf3b10
SHA25693abedc956d4291a401a8a619424fbace07da3e5d10fc4b93c5f455594276ce7
SHA512c981d96d4f1bb9031df2e0706b77c610572cabe5fcb89afdae42d1542059e6b7fa72588bb1fdb76f4cf27deefc836506aa4c22761c093bb573a61c469c9aa4d0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011Filesize
218KB
MD5fbd67cd63e5ebbaa3d136586cef0b195
SHA161e4654cf96fd23c478fe0e20ec87cd841170ca4
SHA256093d28f08c493c414151298393889a64bb7f737951b513d395114ec08af5204b
SHA51284a9166b2a3c528b5b510f98f147d3f7c83905c9a286cecd4cc070b91c33a1135909c80f539ae7939d235fe2376f90dad29f97a0fa37df4e15d046799ffff4be
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012Filesize
41KB
MD5948cfdaf5d10c750c7cc645072ac26cb
SHA198ca2e5f9e4eecbc45c87cbc14daed6f1843eab6
SHA256207a3cc30261e0c5cf267c8a24246c5a3cd1d00e93ff57c2ee44b245efad9024
SHA5122befd88ff95ea99a13d478c77da3d6bb61109dcc1ec30779ac95a73a7f30491beb5a83336d573bb3ab9775af8d462af506fa9b192c3c5867e403d4973c34d089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019Filesize
44KB
MD513c12dd8035a11f88f36de3b9dc964a4
SHA125fb02df3f77368d59eac2e7a1c59fabfe9ac9b6
SHA256f58cce418d2df873187a718cd5a0d609c711405480c1b56f004d304107c87171
SHA5127944f16894141495458ea9957172ab4ede54eafc76c50280075ce55f9eca941ffe7c876f2ae2536d7492da0cb340aa8094681929b96a428bf9fedfa47c8dad86
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001aFilesize
48KB
MD50f2b395cc63db1bd8a5d093e558cbdd1
SHA1833d0657cb836d456c251473ed16dfb7d25e6ebe
SHA256f3797115dd01a366cce0fbd7e6148b79559767164d2aa584b042d10f1ffd926d
SHA512e8a4ada76efb453c77a38d25d2bbd3a7f03df27b85e26ba231791d65d286fe654c024b64f9d6869824db5d1cf59e4d4eb662f5a55c326e5e249144ae1a66b798
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001bFilesize
24KB
MD5a5bb3bb3eda1301f6ac876a49d4b2f62
SHA11786309cdc2fb5c1d29cdac00dbdf13711f19f3a
SHA256316ba0d916f3d3d945b42e589de9a0326836664f9a06e9680bb853c828c2bf35
SHA512f2ab2d40d2ccd43c5e5bf2150ea79d575e0d4a41381a8fba3beb47a8944adeac0bd19dacdbe237f8dd1c06fc04403f0bda3fca1ec0fc429357dc705c6db1eea4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001cFilesize
21KB
MD56b528d140a964a09d3ebb5c32cd1e63a
SHA145a066db0228ee8d5a9514352dc6c7366c192833
SHA256f08969d8ae8e49b96283000267f978d09b79218bb9e57037a12a19091d4a3208
SHA512d3c281c3130735c89ddbf9b52de407da75a3d7ecbf0026e0de5995f40989883178cd59198354976aaa2aa7b47fc5f3f3856a59fe1463d4e2fdb7a27e9f10e76f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001dFilesize
20KB
MD50f3de113dc536643a187f641efae47f4
SHA1729e48891d13fb7581697f5fee8175f60519615e
SHA2569bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8
SHA5128332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001eFilesize
65KB
MD5c5a7113d962c5eb74a8dcc7b0420dc68
SHA1c348dc63331cd35611851a53aff9cfca3f27daaf
SHA256a3f9455a7908ac86647d2af76e2f84cd8025da815fe98f65da0f31f40337066d
SHA512c9960f3c54f43129c1069ac57a33acbeb4bd0cce8393838f541c12c51fea6566bafafb053d72402f001c3909df252073e335833c6318a89f6101c7aa46afa4cd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001fFilesize
21KB
MD5ea48c33e2560afec958fe8c5396344bc
SHA12d83e09c5784df5c427e017cd312606df8e5bbe9
SHA256fe6b76517c4f221c3241886d04702bb1ea480827d335ad37336cea28dd9c4df3
SHA5123757c49932afd3eda89619a96572cf6d3f940b69d499ab83c6c14782fb320fb6e69681a33e8d9872e476cf697865f1bc358a01627ea455b3d97ecc772cf85d0f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020Filesize
59KB
MD54bc7fdb1eed64d29f27a427feea007b5
SHA162b5f0e1731484517796e3d512c5529d0af2666b
SHA25605282cd78e71a5d9d14cc9676e20900a1d802016b721a48febec7b64e63775f6
SHA5129900aecac98f2ca3d642a153dd5a53131b23ceec71dd9d3c59e83db24796a0db854f49629449a5c9fe4b7ca3afcdd294086f6b1ba724955551b622bc50e3ba1e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021Filesize
21KB
MD5d13799a914badab072031a06fda7f0eb
SHA13c28322d73ea38efb97593843fecc749b5393db1
SHA256123c3facdefd1fb463a411f64f3fea8eda47a1e17deb6663d1fbc1fd5932b0fd
SHA5122316fdcdec1441cf4a6b79ffaa853e889934f6dfadcf76262fa6b15de696b10a244b93f89d64b96ce9f082a488f1f00f233fc4cd2944d6073e8211199c2ffa5c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022Filesize
24KB
MD56cbf8f829c02fb20c7025a2db54209a1
SHA1a5c97ff92c09fb6d041e8c605233aff7f619f6bd
SHA256beb80436725b4013784e4c1afde181c4b1179fcb193b48a408a63162c0ae1b5e
SHA512d5529174a05906c3a3272256a68f555c70ba3a091bb11d9650d8b72d21323060fe35431b5179193ae38f7279efc87ea123e9381984e13611306c6f2bda09505b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023Filesize
150KB
MD50b1dfab8142eadfeffb0a3efd0067e64
SHA1219f95edd8b49ec2ba7aa5f8984a273cdaf50e6c
SHA2568e2ee8d51cfcc41a6a3bfa07361573142d949903c29f75de5b4d68f81a1ae954
SHA5126d1104fd4cfe086a55a0dd3104c44c4dba9b7f01e2d620804cf62c3753a74c56b5eae4c1dc87c74664e44f58a966ba10600de74fb5557b3c6c438e52cc4decdb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024Filesize
36KB
MD501369d5062d49b270c8dd6ab535bc403
SHA139c654df64cd7386081da8108f23573f331debab
SHA256ed672ed37bfdadddb835de8c346655a17b653094197a2d6080e6777fa59785ea
SHA512de704934135717cb62e4d15ef1666e78b3d43c17ff5d50b279c21a5318ac2ce0cea88ebeb17b66f4668e1ca1a8801bdd6bab0194b157b1da6bd90c71b29da08e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025Filesize
19KB
MD5bfff9d83b00a5aa9b944286ea3654726
SHA1aac4c6e9f26a09c38aa59742b86313d4fed8a4c0
SHA25690fe1ef718caa668c13dff783a028dcf133d7d9c5ceec7226312a182afe6cbd6
SHA512ebe8fde5b6cd266a29bc731077ed905247bb6e9948996aeb38a91f200f77e588e514662713875db34279629b70ecf2bab326b6e152fe8dc4b7a595892e64a28c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028Filesize
125KB
MD5b265305541dce2a140da7802442fbac4
SHA163d0b780954a2bc96b3a77d9a2b3369d865bf1fd
SHA2560537fa38b88755f39df1cd774b907ec759dacab2388dc0109f4db9f0e9d191a0
SHA512af65384f814633fe1cde8bf4a3a1a8f083c7f5f0b7f105d47f3324cd2a8c9184ccf13cb3e43b47473d52f39f4151e7a9da1e9a16868da50abb74fcbc47724282
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0a92d7d0f462109d_0Filesize
1KB
MD5953c102379bc17eda6bf4beb730418bf
SHA169401f96f2e3f06d7f4334836497242281900fb2
SHA2566206495c885ba9500716a308e2551397cc9e5f686c1ee3fde480e484be6afbc8
SHA512ebdb8c13ed8513fdd2ceb0a87960c705bd8b80fb3ab3a65fdbc7200f6a6b04577487556839a6074057e5078a53513bae74dbb2e0d1f8a9ecdda32203013b5946
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\72c21e422550d001_0Filesize
4KB
MD56022a4ff6c440cd3a5456e7c9cc03759
SHA1ddbfc0d3b9a1e3eae167a0f559fac1ceeb50e0ad
SHA2561f7c3a304385728903050b509994d0f24cdb0063ebefb13581c79474ea0d22d1
SHA512b46385f33d2ba62a708dcadfb8fab8eeb82ccb5169fa2db71381c5fcfb84d228351ee64924a88f3d2f5d5c9948e2762ea7a87008ca25026629596bda6dd063df
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\81037e226035aa29_0Filesize
7KB
MD586e6de45b9725e415b9c1aa2ed7ddb89
SHA1fd483f6b205bb029fc4d381d2f934b29ed8afc22
SHA256f56ca860469f079beae9a06a771f1cc664114525122ea80ed507f05b79416f1f
SHA5127f97a1362b6403682d9313c2027afd50c19239469148fc7cfdd3344f627abb23586204440af721a7e3671cf2f50241532bf80d0f3064e58d0aa7f8c81cf31574
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\a89e6ddf70829024_0Filesize
4KB
MD55901d890e936a7a0f7fc3d8a4697581d
SHA1973fa122f4b5b4a3308ff39b83ff01c81ce4e873
SHA256dfc5650a0c27e288cde3229b3de948ed117ca78b781eed4231287cd28d6a9e7a
SHA5122464bf5f29bf9344d43f59fdf9d3d3ac993887a1cec6e27553d558d340c42df2ab3348d9a5e893450417bd95457f3380ee845f020a598be3ebd05890e6a5d02f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD51e58a0ddac826254c126b9ec4d326c31
SHA1100734cf0ad1843066fa2829b9e1c7d9b7d4d54c
SHA2563bd699e84bd4f573593516fa9e4fac3202a23a02235bac0659f971c23f2da6ca
SHA51282738a04377deac656b81396c149de0fffa2b14eaa2c0c41befa4a9cc1b512e30b1b93e07d52ca40d90c7700401a55aef26d72e44837db3d3797d250f6e105ed
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD55f7be7c5f98b789a79883128254fa62d
SHA1d5bb379c28e8e886a1e871245a5318d13b6eb6cc
SHA25667620a8b7957491a9473e3ef6344dfce13f4fe1d4ebcbcf6163549bcf6217b91
SHA512f07a7c5fb89e87eead25dd02838e89d0381cd0428f80f819acc0359f96bbdb93e155a9e072af71a1bc8c0fb14fd58d8a4169a32be2e5111ccf4470d5d16c2238
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD57d22a2225aa2a141139053a5b19bcfe5
SHA142dcc1448af482c1640c32863f22aa555499fc26
SHA256555f57f3890279b3d91b1e7e35813ab128cb8a42783441be741e453b0d8d05d5
SHA512a21c425eac5fdc33fb505766a93029d4d3b8713841936912eabcb59c138a38c54cc4dd645354708610a833b8015799cd565a5034092d23453eee8af87f739093
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD516fd70ac1d7d277d1e1e2c17bc87043f
SHA1280066be0184606bd50f4fe2c8943c5cbf105f3d
SHA256612341deb9645860f5138a378a2a910a503c2a77bd6b0532c64e7e74519bd9ea
SHA5123188bf1631fe1dd1ce4800745aaa8f8a1a728535a73e3cdc59db5194e14102b9a23c2c1e57364ee29dc5e5d50824bd7aa4cfc2ba6782947dd54ca8a245a2888c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD5176918f9bb2e105795a781bf19ba7bbe
SHA188da308829cf3b8499bffdec8d6b32a15aaeb3d8
SHA25631aee1b4595e64f45a597a781155827fce59cc1bbf484e6a699bc919f79b1c54
SHA512c6e0ab247745e380d36bde92b9a0d8e2bc6af65d46994a121f73031e66c88e3e704ab7ce144b8bb53798c143af1efd077d9a99a6d62cebeff0bd0df4e2903ee4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD542a079309d6100de2fad8d1a20dfd449
SHA18521f3ac56592a7a18a55aa80bbd813e6ad57c9d
SHA2568872ef41587c4d7f62049acbe5dd2b76ebf0947d2f7a972730a995dcd55c36d3
SHA51266207c2a53a6c8a2bf348014add3141619eb44845a4823c0a766b2ad1998d0e305402e1bb0323ff2e1b447a31ea57c43b8077bfc8c93a6c367c44d6cc1b404d6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD56b2b2284fee9d985cbd22915916c3e36
SHA1b8e016908f3dfe3ec403ed2798bd5c3988e19f80
SHA256d9f05767c97af337b2be218c27fdf2ed99bb182115504802bf3118185cfc2deb
SHA512a98a1bf95de7cc9b0d108532d05c5f2dcb00fd5360ed3eac8c6a46cd9e442a25661644fb69ca214dab1e19ddb84e8d0ee23c74f2b4eebb6afe905047cf6e3e66
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD5774154b81f3c43a893ba57d63a908d57
SHA1c816f255287b5fba3873377e1475b5e530d6fbc1
SHA256fd58213a2142cbb649676538a9574c48164cb4411d61ddfeae07402bfa72767a
SHA512240db2cddf5c730893e332877d4ed65e81c8618ecdf8ce732d880af361e4e64705ff152ddaebeed4a62d2acd2e4c4a9cf555086a4c6d0cb782619898a7b8359d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD5afd04e99713ee86af115b7ee1f61d57e
SHA1d6143bab3d9f49ed4a8d29c9ff0a99a8eef72b46
SHA2569c8884eb4747584ba2a1e96109a0e8a8c9bfa64d57accba876f28ab104456222
SHA51286c38f17f2cab308fe849a338c1de7ccb0701cf37e86a0189a14aeaaeb3f8519d74307d135ecf6dd9f1dca9bb32439f9c5aae85bafad298befb220660d056c80
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
369B
MD5045fcb49f5b25036796690bd89c3c217
SHA1e6123a56c1f17a517de8e19061d2840514624f7f
SHA256c95824ddf0267358191fd697b9a840b5e0b32cd44fef483148aaae02b2007496
SHA512da47e19c3a7b93649c540ec6d64e0251358fb3332ce11954943542991efea10864ef3c42834c1e5160a02a80296580114aa499018b0fecb15478be69bb91ff01
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5078ccb87d6a414a2f80048f39b515986
SHA13a709f815dcda980bf63f50ead1648b344e93763
SHA256b75d92e5f3a69ee13f002fe52bbaf4466c720c0dbff39fd4f9e11913696e9300
SHA512676815c81fb6847d104efd01f659df13343e6653ec632c5227c356193f1fa76153671a43f686198b26cb76598b87fdfe76943323a5f271252c1e0c98f63b3980
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5c58c61992634fdeca202f4f02fa58cab
SHA12ba0ca6a1808cf6af7287dcf30d048eb3ce91c96
SHA256c83aeca6e5ada8492e66d75647f2af3436428c44b4ec407456f98a58fc47f98b
SHA512fcbd3ec36c2273ad3cd46b060354dfea8c21516db66f84823dce8471c330f0422534770b689dbede485f48b8494b0402828e5db49e26691af7ddcb91cdab255f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
369B
MD587427e06fef34d2b4008623f78abb7ad
SHA192bc8f81d87f1b5b2917fffcb2c44348d3faca9b
SHA256d5925e4e217e3213b3c6d29a926d3d7bc91682dee1572f37151495f85af595c1
SHA512d2c20f1191f9a5b4a141a0c0ed143d01bd99f2353f9a78091884549ac732cb26d2f1c16f8d282e07c85669f088f6f7f0babda4fc4dd56850b77348840769d520
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5a8a16563b05a8633adf8891c713129c6
SHA112a7cb08b1bdd2d7c86c346f170a0d85dcbdb232
SHA2566f1694a70e51c8edd179d32b2f5063280babef146ee1a43351ed8741ded58e95
SHA512765eef6ad8c44cea0c17a949d5ce6cdd423837d9e3471d6177773fa34cb64f07732f08dbe0dfed024594f7aac24f1a19ce660c9028df32b13108bc1d3ee8e97c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5101e1742007d57448c9a4c99c956827b
SHA1d8aa3f3ba2c261257b96a65ba74cf2d96786a911
SHA256ecb3b019f0d68689bfa00c1b8a8a7071cfeaf73f436721c1896d956e188fd25a
SHA5123079b9465367471f5e2f23d7b1563fed4a330cf1f3c4aa9f2b4044fbeea89fa1b98fa2476e9e1bc7f56a1a47a3876706bc58c974156c39ace7961a508613ec4c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5d9a749e5799f3ca8421aae65755c5cf7
SHA135c0f6c2b5446c2abd61ed722f20b88c5397894c
SHA256f945b60d3a6b580e7bb657ba2410371ee85e4da8eb4b17efd3f4e22cfe63a580
SHA512c633a2c264a528d7a234c2648cc1257765e655527093c47faa4f3a63b0fbf8a78063a0bd6ede5240f8b47cf39456390c744a60917874b9eab23558bf8e939cec
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5476c2406582840de4883c38a8a019161
SHA1777b928b094c582a2b20d9171c91a6c4fb8d4c2c
SHA256cb9364f0cd3518566c3c89fbf04112ff6c805c8952ff8e3b7becc8915b64205f
SHA51272f32a68225dc053ca00e3282abfc9dfe2a3774da54f725af87d2aaac2788abbe14f08d72090d592922a49578b6fc01c5abdfa59167121728a632ad2a46987cc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD54389e32ce2442118900a71487ffcfb4f
SHA13e69205a8b2addb6efda7dd4b02d10d22c5aa492
SHA2563cd1e2a3bccbc367c387b8318d05cceb1c4e15303032fc8e21856f58fdd24e56
SHA5120fe0da9a6c2c0ad7ee50fd3bf2acea6853ec4c671ae0f6092c1c17cffdaa08019e98375fa744984c57e68aea81f2536f3954f3e5c52e68e81a18d6b26640d7df
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5dab712099d1cfca9833216a1d54c5e17
SHA17aa0cecd49a0b1a759bfba537f8cec4d9deed1b7
SHA2565cf3974b20f5adcb140e62af1060536962f280b77d803f607f261df45854d410
SHA5123f1ee00a19f8e0ccd51896c1f3908e1c480a66ea5b8c37d0ddca97efa17daefe89a21f0b5f088528ca7ab77766d18741e6d39e13c7432a78ccd46169377c1647
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD547ded78df481d7dcff5cf885f750385f
SHA18dff07d096031b7c8c560fb74cf36a4410c25cc7
SHA256876f81b02a835b5f13f030043b546d23a1310da0504ecfdbcdc404f558af716c
SHA512787da7c008bfb1fd02ee2808e1f0530ba9e64efd2f9e311db7969ba4738ad37222c9d9adfe4377df9f5c2d37c29375dc2472a57ebf9f0ad5e89693a4cee46c99
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5de1f1945bcb1a7f660ecaadb3c963640
SHA1f8f8a991388537a19dae00197d4c8b00d094a35f
SHA256a66e54359e068b49751de1a5e97639e11a1eee95534e7d957aadb5b3c4fdf42f
SHA512d67c92816a89d734de9b6d827ac55bd8c8e7c9f945822851ee467896a3ff9d92c4a151f89c0fad6861acbb35fdabedfb4f0942e1acc43d48048416bf874ba5f4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD593866fb4144cc7bf2dc97f64803bd284
SHA145db8e9d00f4237bc48695bf149aa1678bfafa54
SHA25619a82e7715ef83a034460f9797158a457959df5af9b7e8ee1f146022544e65e7
SHA5127be3e49a9c49817b7c8c9bc392b3c7946e3d8caecfb4bfa164008d14af07a6108c940acf4147d2833ecf8112d93ad40ec1be9e8d9bf2bc4817f80af8d1a9169f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD54813b6d20fa7de57f097d95dee7bab96
SHA19379d15aee5eda9773653415bcb7697ce55683aa
SHA256e49328817009844ad1af41621d271987a9df0eefce4874910edda726cb4320eb
SHA51244ca768cd26c45a4ab94e64218be6db445e75a23edd32c6284d38d56267157e4df5a4870e3fa6ab9b5d816e23c4fdfa6a652c81eea7fa8c61b3f7794cfbfc659
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5aba30c30a4b1889df3303e97207c8d3b
SHA179bc99cb5343dc553a4d8babc9afe72b0b35d5e7
SHA2569ef5c4c1bbfea5a9e3fbc65aeb34fdd6a9a40903b9cca30985b47ca374f8f4c8
SHA512b6fda5f16e2ff17fac0535992b9e53311bb4d61e367419d49af8721e005d6a1e0707eb68ef1f787beabe3db2c8d752d952438a4268378df851cb77a29c9f1d9a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD588dbfb185c858de30454bdea876d65a8
SHA1b91389782a69d04930e9c7c1d76f306caeaaf32b
SHA25611e3d4be408cd6e21834b22059433e04ca6c9ed1a2cfe6a152a9fefbd1a29bbc
SHA512ee3baba571f8df35eef486e5331b488bf1e03b5c837a7488628f9c46467ea28d1f99861e31939fb2f38f7e1b652f76f9b0c255c8614b7c0df9b17bf73a872b29
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD50019a2dccd5b6cb46bf70fde59a1fae5
SHA1680047e42a7da2cf8fa88a3112cbaf92313f8524
SHA25610160feb8e27230c21b6780d64fa209d0f63d401270649e0db3a13c8eaaec134
SHA512e01a985be7bd6462b74cb4ada55e7c0fb4efd9f9d0266573c94795878a3cd4f1586bda41aacaaf7512a4ef77e2f3f99d6227b7717df8b84830678459583dfa6e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5b682d470850bb8aadbc603c213beaaf3
SHA143ad84490f3924fec86f332e424b525be883752f
SHA256df5e0729989f8816fc702aef835876b502c3a6656690b8f3f45f2ebe7a0bd384
SHA5122efb4a8d6321340883be91b9d03a82cc203ea5b3c35804322b1bc7d1f225fccf7a3c8ffdb48ce08f1b1a788a66f9b7f5943cc713db12233f100f81881506f074
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5116e9a73a38d9d24e1f68cc2829ef3f5
SHA1478c1f05ed668e870283b4975aba1dd446285dc6
SHA25636f8eb27b1aff628dc280c9ab882178931a385899eb81e0263de85c6dfd96df2
SHA5126f5f1f50b9fb95ca4d32815e2a7784684e1c8fdd621de5b16d7c83015c605097edf3f379a2e87ac060a112a5bd6d5d8068aed9906bbb6a7627a2186792fd19c3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD55f606614f7566311ec8cc8855f7c3359
SHA1ef6356855a2538afd1058f053dc785bb2acb4ccc
SHA2560a11e6e7fdb5ef522a850fc67166f1c7462b0de40dcfc2d8d5fef4a9628e8f30
SHA512d76afd0b4a2857f431953a53625cfebb650eb99e0466f00d1d97dfb72d9cbefd26c93251e9b71f9fc84c0cd49ae897da1db4593c0c2ce3764a6048b4d3e6ca52
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5012c2b2e4f8a17beab81e7556d8227e7
SHA1ecdcca04e77ba43e2f41300f1e9b50967a785067
SHA256ead6c837003a2d6b540208e31b6b1e144ec7cb0ea55289f081f102d3baabcb9e
SHA51229cf7c6141b3e5825d56d4768a18a69774e1a603d8460fe5de0dd94c1c5be1788f4c1f0180de1c4ab9993330893535b9eca5736217fcdd4d7aad266466c7544f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD54079b53ee0cfe0c7d32d7509a5b699da
SHA18cb547c03d41e78e3ece45458a64b9588941e080
SHA256099f5b87ce2663544614650b9cf4b83f26854a1c7202ee2e2b0b8cd01d882287
SHA512d6b362222473c1752613d003488425e84ccdf30743d0b619bdae6caedb68056993035c5ff1e5b09d97a2fbf97f873c20bc178fb7540b5782c6ffee1f559e9fb0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD567f9358249b021b50cc4fb60f7c5cbc3
SHA146c2cd1e4c349649c6a8a46048411a8da7ca24f7
SHA25628e680a4ffc7637926e08d9d23c39cae8114fa678caff53e5036844605b5ef86
SHA5128e2e3f1421997b8152ed9fe9482e9f0764efb020278e04f386be977256cb01d18ef59e4ac7f1092e5c2cb6c47d3619b36a0603f6b53322ad29c49dff5c947847
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5ae916b8c363276acb8270ec289629108
SHA172c63095cd11845099e54663173092bae912fb78
SHA25671d4fdf2d787d195f9c804f2d397d23f4444db97fa4b3986a36d9a2fd276cf4a
SHA5123d0594768a329ba1d387e87b3add913d787cbe2da3d5f48f838b011526f2c9d70f8840b93b2854bf0f8eea592e9cb4ee8d1a977ef562dcafe9f95082ae03508b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5ce977ea1f392ae3a6d7f88e1481682ad
SHA1ac65fed5846d4a3a80ec6194c0d769860e9e27aa
SHA256df9db6f9c01d12ccaf71a9abe4487649adeea0118e88680e4013cdd1a84a0367
SHA5121c9cf7d9f3f0f3699e3f06f8e8d09cf10e8e1fc2b65cc9d9e4d96e2fc7fe02155f9f668819c57d85f263f53e369466374a27afefc2cb4eaf53de108f040b06a0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5e8ceffa48a801062a8788e2160b928f4
SHA19e1cc69f9ff005f213ac820613bb20147fa7f6ce
SHA256244b2ef09b6e9a90daceb61f289ddd1f0160aeb329454e6abcc430cb33c5220e
SHA512116124055f507caa3d0d369a1a4f017d5832cb6950369b6ac84b338442b1725a3557d3bc531335fac9ce821f4e87181d9c54842716dc615769d8e49ed2a0618f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5d0a9ceb2b06d0ddaeb1cdbe3d7b4d404
SHA1b94423b4eb483e3906516cad85afa1dedfe35de9
SHA256bee737af380c288537bd4d252e86750c33872a54937da2ce7e17f375664158c1
SHA51243ef020e2994e628f8957db6614fbfe1895f79982625b549d066b35025142ff68d519fe8c987cbdd6cb3ff2c62f30141f6fb871ae8596473b4611c0f56c64b67
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD54ece0f370d139f7f334f4cf71d35c698
SHA1a01dc54a7a79b1d887184f330da3f2314b4d4191
SHA25667e28e9b4fc7ac7a2f6ff36b2b9ca4b208ebb45ed52b2c72ea361f6651081df0
SHA512cb5be21fe2e56c52c06b7acbd66fc827fbc6790415304315fabdfe7ff7ed4ad17e06d4280e77be3415974ec9d6d9ebcc907fa7637277ef434f1c832d802c9526
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
15KB
MD5ece8b35369b9da2f08e53e36ce720013
SHA1b700f120ad8f5f9f1dbe2caa778ff1e5607fd11b
SHA2561762472c5cc72d6fc5ccb6e2b4dfaa6aec5acc7d07b07931b1b4d981233a955e
SHA5120c5b37e82a11dbedc2b320854764128a250a003b4aaba591f2628c1d3e440454ae731387238acb75cf031d50c3ca24bb4554740bab0a90a72a3757bfb638bba9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
279KB
MD57f27f02a965fd6de8e657c73a9be1c27
SHA1b1da89679de8437ea71f93889cba2c9f18d438a6
SHA2560213f4d4fd92d822afbbd3e9b2a881c93173389139fb22897d3e2b37afa4d2b7
SHA5128e71b9f302c4cde92d29122decf96ac6d7b582e7c59c3ab7697f3302e275f84073eb011331b8abdb6e819b7da3b14c615eb2acd9efff4b9e06898e05cec780c4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
279KB
MD5795d770d04cbf9c472c5a55b82168bd3
SHA1b4fb0a1c6dd5143c9499de14baaa3e568b1efef6
SHA2561e48659ea6252aeccfac4d0723d0afcaac45bf6efb070aeb074c226435f34f96
SHA512e06cabcc50059b58a1640251271e3661c342d7dbd3274269dc0b0bcaae90e49a64e5bcd3753f8c44542cb1a7b2f6a6e68e3d7d42c9c4a2eb90cd94870d151c16
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
279KB
MD530c2cde3481c08f4211961c5e4d6fe02
SHA19eab4b54fcde3484b15a2b40dc84d58de686159e
SHA256feac2de647ae35d9ea8fb6a6ff39a50b4bbf53c2edf693558d9bf7d5daec5875
SHA5129971d83caba7b78be082a62c09190c41de53b1c2435b4bf970c23e56cea7b9661aa71b8439141d06cd411969a637ff528e9971d70017ac3de440c5daccca56df
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
298KB
MD5cc3df2daf96802ae2a03be5bb16ca87b
SHA1680a2239887b856da072acce89c3bb16f1d632c0
SHA256a7233d333af1795f05c5b9375300e18ff2c0a90ed22e3a0f464a3cd3613d8728
SHA512177f110b6da3bde24154730b1cbe417323523488d59639ae00c3340514af558a1404fe8eaaac7247202c02048570d57e1186222a22585cdc15d5eb00f88715ee
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
137KB
MD5cd99070e6193ea51bdedb9233e21f032
SHA17ab5565cf4175b727a13aba98a05b0593e9525aa
SHA2562111e33c9c00b46947bcd09e3993906a23558bd42f0152e04d9acc4c6741717d
SHA512cb12d16621e88e201e5cd06a454ca7d12cb7f2bc8c46c28bd1fc1c23fd6901521ce768e8e10195862d9cdc2fc60f9892057a0f3dc0e6176a928d73b82efebc39
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
109KB
MD598970fbb4ca14052173b766a2024ad03
SHA14f9b765b45ef87dd2e5a8c0fe7c2559dc9ccb68d
SHA2567dbf108629418e07a01969930904eca49d05d9cd2ee3676390140e1f2d92e739
SHA5125978c0011c2542eb906ff393202f9a181fabc3abf53851ddbeafe891ea7121a245ebcddcad9960f0db738675eed1fb22d9a89a08ae9be917937a78c78a33cc65
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
98KB
MD54f087ab30712aedc7f470238f99e26c1
SHA10185f69d0088817005497d783d6e309923b495a1
SHA256c057c682bcf1ad574953cf72d274d0faa1a7ab2a39ed58afd3dd888dfa2de834
SHA512c63525119a15cf1ebfe132e66a752d928b091a35e5811a7d9bbcc209e809ef41be574a2ee4a50a2c0a1872ff4df2681306455cafcbe1c57198820f69b9e7690b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59842a.TMPFilesize
93KB
MD5911dea47bd6cabe134666992502d4ad8
SHA1bd9dc0e032945863e579dba2dcacd538ff281774
SHA25646a5b68ec018ca33828f167c13c2c2a3ca4ac21d3c6576461d57307aadfc8e16
SHA512a24ef51b0f438ee5890207ea55f9954bbc7abb3cfdefe2398aa443f978795851031ab6752a678fc39256e560797a396fa753b07210c7bf579a347c25a2b7ed66
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___QFRW_.txtFilesize
1KB
MD54e694b7fa020ae742d51ce37610c7b0e
SHA1a5513227e14db9d9cee1b62c6c0277f5d0728d37
SHA2565aaa12e13699187889c044928f9844798c4770acc1d09ef6b9b86543c981cd3e
SHA5124b15857728d8327dad2bffbe8c04552163795a1c1301e6cd820a558e2ee57418dd70cc7a9d9452c61d87b31df6afdb6b7dc379f0be81652e7813c199dd343d7c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\81D4B46E5F1C225F9056245AA4A09EA13A9F4FD3Filesize
60KB
MD571458697ba3c12e267c65baff81e8aed
SHA1e7c866e141fc67b219af4731db243c4163b4f141
SHA256620d0b16b02e31aa9c5be5f12384c8b02f788a0e043203c09d24ab29022a62b2
SHA5120bd9d1d52708278c2221ae6b64c785cee4788b7cdcb4df3dac16e9ca59fb985747d8120be2aac5c9875d85510517546e923dacec3054851a15f95f8171245e51
-
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___MNVR7_.htaFilesize
75KB
MD5710a50894d2b23e45f2a822f50e109b4
SHA1aeed0b70817de6dff05d7b0da08be4ef406e7a5d
SHA256779551b60273268e2a81de07a4e0f6fffff4c8d0ee525d08c16a7cfe35729ed0
SHA512c95d52d6cb34f77a4cf05c8c248b428f3f19563b5584182a70e5579f56c26113ca2554199d8e379894a63d96f961d7637575995cb1c5658f61acf183bf7744cc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD572ce5c6b1860926cf80303ff342f38ff
SHA172a3cd2364c9f22d548117cd34ddaf6e6d53a6aa
SHA2560370fc38e1c1ced7d8e6bfe9201566456589e9ae3bb1713d0f5a1423382b6380
SHA512a2d54b349d8b1d22a6c477e361dfcf1971a75b1a2174effc6a5cf0f5230052c62b2fa61ce3c783b8b6e38b94be5a5bf4a98c808dcb5a1856e72cb0d46a3d4040
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\57ceee7d-5fd5-407c-9290-d89b21728541Filesize
746B
MD53b2074803dfd84010580860b87e71054
SHA1093fe3b78a4c98666828a8faa3a97da4c6789cc4
SHA25658c4865b6c958d45f236e9cc0c5ca565cbac6ad5acd12119da69bef28207ddbd
SHA512d7f628febcae43574447f9947e52b4e7751b855df4916665014eefbd89293e9b0204fbe8671b4026bd3be5cd3e2b324a2bcf1d0904a2680790d05cd9d9f505bb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\b5fa3f49-ffd2-4a39-9215-ba5a20532581Filesize
9KB
MD5481be4cf7e500166a4ad138c1a0309f0
SHA15eaff371c076de89bfe1f0b2bf61a5cebffecc5b
SHA2568e7f1517cb431de3468d8e007f62cc7facf2f5a788cdd1301c92c733279e48a4
SHA51292d216530feb46d7dfe8a0eb15ee79f580cb04ad8280fc40fdbbc388865743cc85255e0ac56cde1be825d595fb636eb858c05b69514de861079dd30b2906ff95
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.jsFilesize
6KB
MD525bd72b6ee85620539b736095320dd95
SHA14b3998278c356e2017439cc7d2570c60c44e4ff6
SHA256c33c0702fffe132c41ccd33cab25444b06d49324859ff0cc3d923a4ea0dcc83e
SHA512e6e0c199e33bdf74bfe782b8b2028b130c2032ffd7efd6fcd32d3e9aee7cb3d201e6967c67e3a2b52e95c7f3c203d71c3035cf359d5153ceb475b0008073b691
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.jsFilesize
6KB
MD50f89cf21f613381f8a2a09cb29117865
SHA1639e34d1c3595e62dcbad38586e7172af3026ccd
SHA2563b556ad74cbe377501cf80f00759ba12e5793d34067b74b551ffd3e878995ad8
SHA512526b83bd136e6c81d964067a2521f32ac5aa3bc61ec446af30d224c63ceae7a6079d644c4dbc11ab5b74f6f1cc50b9d6efa9bce09a94a126b9641cb122d4a628
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.jsFilesize
6KB
MD5200a240ac0b4aa9df6da99c01929a496
SHA198faac9198e432c3269d663b26dcdee1916e8fe0
SHA2567e7c0740fed5bd517d8148a80219c9f1cb61315ba89275f141b2953888d4e5cc
SHA5129ce96368c9c7c570be65e27454499fd3eef5c5b51f7add55508b476222cfd5e9f4c890dd64cdee364f7c41c9e66937093fc2fe5001866f324dc94ed2479a9e6f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmpFilesize
259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD58db3ba3aa2d9d877f77937b3797837cc
SHA1fc91443bc09ab98ad925aa51aed76a9ca4b79fcd
SHA256ec3a2678a20f9c3d1b908141eafe3d0152cef9e60a3b04e4e2eed9076ed1f5fd
SHA5128ccb94ca8f729bd2c1d7ed1b0ff42267dd61e00ab321b1676ecfc516351ccb132799a64c7b659bee9397e51311cbe39a113be38a7f51844d8bcf1b58155b492f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD562c19616542c075b19d56ae055773b20
SHA106aab3646343a99a4678ee64d13c2d83821ac016
SHA256f1b3a0b799bbd335f568833db7f40f9b47e2247f314925eb05816ce6cc8fa7b6
SHA51242b830c5ac1272b289719e81ba1d61c4d68c4f77b5a30f91ddebaf5b53d29d5a6c01f1274cb9cbdcf0ba91ed1b3f8a9bbdbb903e23ba1dc2ca3a89c190338781
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD5d62aa2ef886c535184147f615a9daedf
SHA1f59c882dc1893829a228e60b5ececf779b5214aa
SHA256a828d876e4b777082067b8e79d6605bb143f3d6b75de97343785bd1bf3702a52
SHA51219352f07054a9dfcfa1720598d700f46f61081cfefaab2d3d7597c8e4cc3d55e1e25cff885fef14f7a9bf9264caf920cb5a36dc7739c06545740e0566b4bbe2d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD53e5ea0730e46b3a9c8f5aafc6875fe8e
SHA13433754a839329771c91d14af5e8dcc587f74698
SHA256abbb49328de9c34f0515a347f94cf0f9beeadfac2584107832f30b026bd4b471
SHA5129cf9887fe3682fce610236195e66e0ce580be6ae4f61ba52f760a4fde0d24cfb7ae27eca7cc33762b8cc61fb772eb1759b2355bcaf541bfc8aa6d669017dbdef
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4Filesize
4KB
MD59df80f7f91b5d3e676d145bf3c5ffd6e
SHA178159fb3875fdce756bc6f693b99481127e910df
SHA2568726a547051ea0cece29978f40975da88c89815be9c91d157dab3f878ee4aa35
SHA512851816b7e42e44b2f636fafaaf71fa6ddd2c2c9fe8d358d5db147161aa6c54792029915aba17c28039c81129581de1fcbf36b3e8d85a0c6de271c79f72d720e3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
184KB
MD50ed2663971e8051b2bcb574926400fa8
SHA1467756bf41c377bdb07c8be10d5391f1df1d80a7
SHA2560c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c
SHA512e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898
-
C:\Users\Admin\Downloads\Ransomware.Cerber.zipFilesize
215KB
MD55c571c69dd75c30f95fe280ca6c624e9
SHA1b0610fc5d35478c4b95c450b66d2305155776b56
SHA256416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c
SHA5128e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2
-
C:\Users\Admin\Downloads\Ransomware.Rex.zip.crdownloadFilesize
2.7MB
MD550188823168525455c273c07d8457b87
SHA10d549631690ea297c25b2a4e133cacb8a87b97c6
SHA25632856e998ff1a8b89e30c9658721595d403ff0eece70dc803a36d1939e429f8d
SHA512b1a58ebcc48142fa4f79c600ea70921f883f2f23185a3a60059cb2238ed1a06049e701ccdab6e4ea0662d2d98a73f477f791aa1eec1e046b74dc1ce0a9680f70
-
memory/4928-1575-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4928-1572-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4928-1927-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4928-1955-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4928-1956-0x0000000000440000-0x0000000000451000-memory.dmpFilesize
68KB