amadey | bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa

Resubmissions

28-05-2024 07:01

240528-hs7bqsbd54 10

28-05-2024 06:51

240528-hmthpabb27 10

Analysis

max time kernel
152s
max time network
271s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 07:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe
Size

1.8MB
MD5

26d2630ef6f3b919dec5e2b5af18d32b
SHA1

4e650852f83a3b0d2b0fa276165dfa291282fa5f
SHA256

bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa
SHA512

90ac6b5ff3a8c8c5fbb0cdd343231b8a994c171d65558e683b06534b48f6923c1cb99d0ceed0eaccdf606f9aa2759b7e2d9b2c46af6095d80b6c7f091e70a214
SSDEEP

24576:aVAOWmoe9SUMwLGX46Af89PNfwtMH29CjG0tXZTCA3tWxvrxfZhiOWR3d8DNxJ46:OewIZ1PDf3HwCjGqTCzRgt8DNxJ4j

Score

10^/10

amadey redline 1 49e482 discovery evasion infostealer spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

49e482

http://147.45.47.70

Attributes

install_dir
1b29d73536
install_file
axplont.exe
strings_key
4d31dd1a190d9879c21fac6d87dc0043
url_paths
/tr8nomy/index.php

rc4.plain

Extracted

Family

redline

Botnet

185.215.113.67:40960

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe	family_redline
behavioral1/memory/1772-109-0x0000000000C70000-0x0000000000CC2000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exeaxplont.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe

Executes dropped EXE 11 IoCs

Processes:

axplont.exebuildjudit.exestub.exe33333.exefileosn.exelumma1234.exeNewoff.exegold.exeswizzzz.exeNewoff.exeNewoff.exe

pid	process
2596	axplont.exe
1724	buildjudit.exe
1704	stub.exe
2656	33333.exe
1772	fileosn.exe
1788	lumma1234.exe
912	Newoff.exe
2168	gold.exe
2948	swizzzz.exe
1276	Newoff.exe
1868	Newoff.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	axplont.exe

Loads dropped DLL 26 IoCs

Processes:

bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exeaxplont.exebuildjudit.exestub.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
2664	bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe
2596	axplont.exe
1724	buildjudit.exe
1704	stub.exe
2596	axplont.exe
2596	axplont.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
2596	axplont.exe
2596	axplont.exe
2596	axplont.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
2596	axplont.exe
2596	axplont.exe
2596	axplont.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
2596	axplont.exe
2596	axplont.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exeaxplont.exe

pid process

2664 bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe
2596 axplont.exe
Drops file in Windows directory 1 IoCs

Processes:

bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe

description ioc process

File created C:\Windows\Tasks\axplont.job bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1204 2656 WerFault.exe 33333.exe
1300 1788 WerFault.exe
1956 2168 WerFault.exe
2548 2948 WerFault.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2000 schtasks.exe
1076 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\axplont.job	bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe

pid	pid_target	process	target process
1204	2656	WerFault.exe	33333.exe
1300	1788	WerFault.exe
1956	2168	WerFault.exe
2548	2948	WerFault.exe

pid	process
2000	schtasks.exe
1076	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

fileosn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	fileosn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	fileosn.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

Notepad.exe

pid process

2804 Notepad.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2932 POWERPNT.EXE

pid	process
2804	Notepad.exe

pid	process
2932	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exeaxplont.exefileosn.exechrome.exe

pid	process
2664	bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe
2596	axplont.exe
1772	fileosn.exe
1772	fileosn.exe
1772	fileosn.exe
692	chrome.exe
692	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

fileosn.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1772	fileosn.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe
Token: SeShutdownPrivilege	692	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exechrome.exe

pid	process
2664	bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe
692	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

POWERPNT.EXE

pid process

2932 POWERPNT.EXE

pid	process
2932	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exeaxplont.exebuildjudit.exe33333.exelumma1234.exeNewoff.exegold.exeswizzzz.exePOWERPNT.EXEtaskeng.exechrome.exe

description	pid	process	target process
PID 2664 wrote to memory of 2596	2664	bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe	axplont.exe
PID 2664 wrote to memory of 2596	2664	bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe	axplont.exe
PID 2664 wrote to memory of 2596	2664	bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe	axplont.exe
PID 2664 wrote to memory of 2596	2664	bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe	axplont.exe
PID 2596 wrote to memory of 1724	2596	axplont.exe	buildjudit.exe
PID 2596 wrote to memory of 1724	2596	axplont.exe	buildjudit.exe
PID 2596 wrote to memory of 1724	2596	axplont.exe	buildjudit.exe
PID 2596 wrote to memory of 1724	2596	axplont.exe	buildjudit.exe
PID 1724 wrote to memory of 1704	1724	buildjudit.exe	stub.exe
PID 1724 wrote to memory of 1704	1724	buildjudit.exe	stub.exe
PID 1724 wrote to memory of 1704	1724	buildjudit.exe	stub.exe
PID 2596 wrote to memory of 2656	2596	axplont.exe	33333.exe
PID 2596 wrote to memory of 2656	2596	axplont.exe	33333.exe
PID 2596 wrote to memory of 2656	2596	axplont.exe	33333.exe
PID 2596 wrote to memory of 2656	2596	axplont.exe	33333.exe
PID 2656 wrote to memory of 1204	2656	33333.exe	WerFault.exe
PID 2656 wrote to memory of 1204	2656	33333.exe	WerFault.exe
PID 2656 wrote to memory of 1204	2656	33333.exe	WerFault.exe
PID 2656 wrote to memory of 1204	2656	33333.exe	WerFault.exe
PID 2596 wrote to memory of 1772	2596	axplont.exe	fileosn.exe
PID 2596 wrote to memory of 1772	2596	axplont.exe	fileosn.exe
PID 2596 wrote to memory of 1772	2596	axplont.exe	fileosn.exe
PID 2596 wrote to memory of 1772	2596	axplont.exe	fileosn.exe
PID 2596 wrote to memory of 1788	2596	axplont.exe	lumma1234.exe
PID 2596 wrote to memory of 1788	2596	axplont.exe	lumma1234.exe
PID 2596 wrote to memory of 1788	2596	axplont.exe	lumma1234.exe
PID 2596 wrote to memory of 1788	2596	axplont.exe	lumma1234.exe
PID 1788 wrote to memory of 1300	1788	lumma1234.exe	WerFault.exe
PID 1788 wrote to memory of 1300	1788	lumma1234.exe	WerFault.exe
PID 1788 wrote to memory of 1300	1788	lumma1234.exe	WerFault.exe
PID 1788 wrote to memory of 1300	1788	lumma1234.exe	WerFault.exe
PID 2596 wrote to memory of 912	2596	axplont.exe	Newoff.exe
PID 2596 wrote to memory of 912	2596	axplont.exe	Newoff.exe
PID 2596 wrote to memory of 912	2596	axplont.exe	Newoff.exe
PID 2596 wrote to memory of 912	2596	axplont.exe	Newoff.exe
PID 912 wrote to memory of 2000	912	Newoff.exe	schtasks.exe
PID 912 wrote to memory of 2000	912	Newoff.exe	schtasks.exe
PID 912 wrote to memory of 2000	912	Newoff.exe	schtasks.exe
PID 912 wrote to memory of 2000	912	Newoff.exe	schtasks.exe
PID 2596 wrote to memory of 2168	2596	axplont.exe	gold.exe
PID 2596 wrote to memory of 2168	2596	axplont.exe	gold.exe
PID 2596 wrote to memory of 2168	2596	axplont.exe	gold.exe
PID 2596 wrote to memory of 2168	2596	axplont.exe	gold.exe
PID 2168 wrote to memory of 1956	2168	gold.exe	WerFault.exe
PID 2168 wrote to memory of 1956	2168	gold.exe	WerFault.exe
PID 2168 wrote to memory of 1956	2168	gold.exe	WerFault.exe
PID 2168 wrote to memory of 1956	2168	gold.exe	WerFault.exe
PID 2596 wrote to memory of 2948	2596	axplont.exe	swizzzz.exe
PID 2596 wrote to memory of 2948	2596	axplont.exe	swizzzz.exe
PID 2596 wrote to memory of 2948	2596	axplont.exe	swizzzz.exe
PID 2596 wrote to memory of 2948	2596	axplont.exe	swizzzz.exe
PID 2948 wrote to memory of 2548	2948	swizzzz.exe	WerFault.exe
PID 2948 wrote to memory of 2548	2948	swizzzz.exe	WerFault.exe
PID 2948 wrote to memory of 2548	2948	swizzzz.exe	WerFault.exe
PID 2948 wrote to memory of 2548	2948	swizzzz.exe	WerFault.exe
PID 2932 wrote to memory of 2392	2932	POWERPNT.EXE	splwow64.exe
PID 2932 wrote to memory of 2392	2932	POWERPNT.EXE	splwow64.exe
PID 2932 wrote to memory of 2392	2932	POWERPNT.EXE	splwow64.exe
PID 2932 wrote to memory of 2392	2932	POWERPNT.EXE	splwow64.exe
PID 2852 wrote to memory of 1276	2852	taskeng.exe	Newoff.exe
PID 2852 wrote to memory of 1276	2852	taskeng.exe	Newoff.exe
PID 2852 wrote to memory of 1276	2852	taskeng.exe	Newoff.exe
PID 2852 wrote to memory of 1276	2852	taskeng.exe	Newoff.exe
PID 692 wrote to memory of 2980	692	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe
"C:\Users\Admin\AppData\Local\Temp\bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\onefile_1724_133613532805308000\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704

C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 72
4⤵
- Loads dropped DLL
- Program crash
PID:1204

C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 68
4⤵
- Loads dropped DLL
- Program crash
PID:1300

C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe" /F
4⤵
- Creates scheduled task(s)
PID:2000

C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 72
4⤵
- Loads dropped DLL
- Program crash
PID:1956

C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 96
4⤵
- Loads dropped DLL
- Program crash
PID:2548

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\StartInstall.pps"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2392

C:\Windows\system32\taskeng.exe
taskeng.exe {8DA9CD0E-6B6B-482C-AD10-5104709DABA5} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
2⤵
- Executes dropped EXE
PID:1276

C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
2⤵
- Executes dropped EXE
PID:1868

C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
2⤵
PID:3028

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe" /F
3⤵
- Creates scheduled task(s)
PID:1076

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\DismountUnregister.hta"
1⤵
- Modifies Internet Explorer settings
PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69c9758,0x7fef69c9768,0x7fef69c9778
2⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:2
2⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:1832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:1860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1460 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:2
2⤵
PID:1224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3048 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3428 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3584 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f5d7688,0x13f5d7698,0x13f5d76a8
3⤵
PID:896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=836 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:1780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2488 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2328 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1388 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:1220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1896 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=736 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3076 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1572 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:1000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2340 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2372 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4300 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4280 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4444 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2388 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:832

C:\Users\Admin\Downloads\rkill.exe
"C:\Users\Admin\Downloads\rkill.exe"
2⤵
PID:1348

C:\Users\Admin\Downloads\rkill64.exe
C:\Users\Admin\Downloads\rkill.exe
3⤵
PID:2764

C:\Windows\System32\Notepad.exe
Notepad.exe C:\Users\Admin\Desktop\Rkill.txt
4⤵
- Opens file in notepad (likely ransom note)
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4064 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=4344 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:1996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:8
2⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=4088 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=4792 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=1608 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=3712 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=3868 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=3720 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=4896 --field-trial-handle=1288,i,9675146067378385878,428636881839780897,131072 /prefetch:1
2⤵
PID:2388

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1236

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500
1⤵
PID:2656

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1992

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
da337738bf5e6cd555ff41b1d4311eef

SHA1
51e4538063aade2ee54902b2aeef5d55f575a1b4

SHA256
9399165b106fb79d79593f5dc33f2d564f9b953df3bdc87f2b145b614434d99e

SHA512
07e4a211da003d51b5a4d6cc87d82ef77e2146f2ffa79ad5cb744ed8990e683829396c4a65fb25a06bd9b810f0483fc090348608d3ee5361de69fa364585eb8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
3313598a23fd1aec95e199707a3ed99a

SHA1
649f0874fce7884541cde5f22b334ead8ee6c964

SHA256
4940d697160c6cfd9a22862d25fb605e37dc51819d74ce3bca635c0795d21b05

SHA512
b62e74f821e9071328764f1a2b78dab008b1aeb201058cd05485aa9df6f92f334a8cae343c9186335bbd19fc4e090a79a84c22e5391c3ed2771df2d4b639a764

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a2b8a26ebcd1304fc80bd601218fb98f

SHA1
f97d397ba276e9f702af08b08360f1b41eb304f7

SHA256
f47bbef15cfd5558f73cf11673ae79116adf50ecfb897d42d772d9d4b535d50f

SHA512
7bed2d06b83fefc2d4bdcc1ecbee92c62ae28f6330d1a90305c8ac111afcc8f72089cba9f5288c70e51f3f706028d4eff6ad77e2ff07a44e6c56eaae87571004

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
025c2954cbf3effedb6a62ec375bb866

SHA1
16d46af6dc0ac084a53b94161f05f5206cdb4283

SHA256
14e979423a7e16637b10bfbcef4e940aeae2132863656229dcbc90c312dbb2a1

SHA512
48639aedf2e28571ffc88a49938091431fdb5fb474ab79449724b5c1f54e673641da9aa537c9511edf181b99bfdd5f193ec2272136f5725a61f418e26a5aa222

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8dd67f0286ba1cb5d9f2a9b5ac3c58d9

SHA1
76950d34b91a7cf31f62fdd6247b48237988f59e

SHA256
f43bde406e779c4ae3ddf5bed0e0aac50606a1bb2d1ce3cb5904a38da60e38ef

SHA512
666fdd98bb9097cee7ae1bc667a29af90be6aca816726d8813adbe015f6c983b20ce7b84e8cd9faec6c03d2987bd244e9327f5cfcf08fb90bdfc2d4b1ea3d94d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f870fbf4c680b803ecd225da65ec0dca

SHA1
a50c4950107b140afed4c0f144f2ec2b29a8ee22

SHA256
d101e226a75bbf9513d348f084d56c47a304326482be162ad1e70cbb8e5b8a32

SHA512
2e27fc422356583a29e58affd740b326a615e965d0a760b67054686af08fbea8a50f5526ae5797f712e643ed99b7694c1060e637c5425d3230b75457024cf727

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8492b91fb6aeff38a9d6e10054a4bd55

SHA1
b3c895b39eb4fa7134669166b589df4fe483b688

SHA256
7c473304f77d89dd8fccb247d712772f03af194e7b0c4531428f9ceb79bedfae

SHA512
ed023df71fcee1b238313f2a432ea68f25a65d46fd1992d0f8e0d8ca46c5e210868b27ffd57394c178206a761b75179c63874573badcb7d45765121f217e0a41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fbd00100005ddc3eec2127e5517166d5

SHA1
cc4041b60d880c9105137a70537ec0a4d89c3459

SHA256
fa08611a73500e6e4082ed4a77ccee59df73e9bf018ee819967ee6dd33e6727d

SHA512
b1e14399fdc5b15e7c6125eba2e3051375dbb601e166eeb7a66c671ad1ba9c3c14c8428f95913aa2be753f59af4e9ffc49383fd953422b1b7d030f18346f4f51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c1bb7cd5fd677f7cf00b904416687e5a

SHA1
c08856f3359625f73d18a29bbac5c3008839b914

SHA256
8993d0434240e3660b37dd60bf9b1f9498c8317d19c1d36fe14a9338bacb9e73

SHA512
846f3b66ff447ed8b4bdb8f0bde6bf333afc23f19e793bc3dfa3f086918d3043300081288a24985d8ef8270d1e3d00890743db020a1d298565203bd4c23f0847

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
91cdf59c3a3ceac1211c926a155fc024

SHA1
15242d5ffb6a35b886ca6df99d263d1baafb8fc8

SHA256
6b9df8b683ee860b7252473fc79c9f7dd4e4d4f5b52f774bf5eb376aab3738d3

SHA512
93fc29a07aa591b54e125320de6a35a69ed4e2931cd5c324c545b82bd69568a4e99a355fb5a573a77833f31d9fbaac3c18278b975cf0d08c489f5d1ca5f059dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
759258cf5389753ed482691a22a37366

SHA1
40ecdff71383889c8934ba853ae0516b071175a8

SHA256
7a55fcc134a8ebc6ab52934d2008d64792c0534ba1f2422946d775b5dd671024

SHA512
012f5e3df53562469ccb27b8f1c0d85b6482cbb91594a18eeedcc286a58b58cb6816a035eda52d6469a9c3c2a709445b9d275f42acc0058530f91fca8624479d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca79e6f3ba01c10962fbb57cf4f4b363

SHA1
081fa01b3623a3ff18e006786e3721ef71897668

SHA256
dc4d9df45704e5145b529ae8a9066770aed09dddf42c05a0d1a6b198954145cc

SHA512
034755466c52fb1d7132d10542f20d343977f93ebf09f120378be56106b1b2031dd44500a9087054b22277b9f3b303345dccebfef07ad970b9a615496d854973

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
982b226b0396b5d52dcf8e5c016a2597

SHA1
ad54fdbdee07ecc1d30312b9030f9e4ed360267d

SHA256
a7ca12695c27921ac7e8de9ad8e58bf3021b96904e6cc9fc9fd72c6239764d08

SHA512
1e68f940ed0215a169c51ee9dcca7c12dfe3b5495cbbc4379537cd2e245f1696e2ed0d4ac4a8acf77db7fc2cdf71aafb1ccc7e074ad880aaa41020d98cb61110

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1c1a63d50d96a5b9a4262125e0ceb6cd

SHA1
bd1050b044488efb1c137fb641c1db8fe7aa72b1

SHA256
0c51ef7eeb8bb59ba1b514b62412c7e6b7c08c528a1463898d5cb8f0f43a1e41

SHA512
39c9cf17185cdb8ca23d65648eff43b5bd2b68bd7c00041210355b3ede3fed4f105d63e9d2d5a0937c92b1cb8fad8b117bb23c86da23bc3fec25acb81c3180fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0760269d1014d9e620bd546d38c603f9

SHA1
bc443b196eb471d08007e423ce90d791fe5d9c23

SHA256
1db6663c200964915c075fea4ff3c960e182f4f8d66131da809203953e4cf561

SHA512
8ba34c04571cea81bf8e6ecd69676d8c588003377e4e42572d29b84e56f7bab63efe0027088b18ba29c183dc48db3ba2a83718c96812dccddc0c503b5798dfa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0b8c7f2244981cb058381ca0110ce1b

SHA1
b966b9491f98ac21a87e0e5e742e432c0922dd93

SHA256
1282241c9a9e7a2df5d8dc2a7599b07df022cc25ea7fbb068e28656538559602

SHA512
3a6cff21efff0cfc3927cec557e669e145cb6a0bc8b5f98b93350e4adca453cedc1509bfc0d4c0d1097f78ae184af9b32f3cc0f7e80f7737f0a0fa89f2f9e21a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32b8dcccac308d87645013a26f85b2bb

SHA1
93ced172ccac851ef43f3578b20907f1a9cbd624

SHA256
987bf74f8cb0881fa8f884b8fbfb85288ab2cdc264e8f06a7ffb6f95ca77c955

SHA512
92fda8294f034551778f4ebe8ab00d39daa3ee0ac47bd1a13beca65d6ac8802ffde21b7124c3504e8932cf325099f46cdb0ef5bf8412d877f4306c453b1482b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56a1843ffdc2f9282780b2b113ac2309

SHA1
177e0586ae631fe9f871a82dbd0899371c5e12bd

SHA256
5448eb8d78bebf7d725df61a62fa73dfab9999c52786f10f7142c04f01930778

SHA512
5c22d8b13ae7f12926320779582ac5961fe5f0bae2ff325c6d10e91f0cdb54fbcc0a46915ffece44ae403c4abb345cbe41e9615f108527a3385aafff33d6b350

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2d2b4fb4664a2e28daace367769990a6

SHA1
d142d0507be45d84ca0dad97486208bdcb7cc372

SHA256
fc262d98ca96fd5a25f6feaaa12d659f845da07c32820e0fee00288b5685a2ed

SHA512
ef8e7d8c744aaa102a87edcdd70a863dc4447094d7cfe275af5693f00f56a0482173b2b0ffaecbb5059de99c39983203384fea613362192b1bd50441e1e0096b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a3cbfe9cd72b65ed70472da13bfd3299

SHA1
045e071bd5ba69176c958fab9c0dcee9f2654a6e

SHA256
344e1d5d73b2495a2c45b26869558c0e3794892db0062025a7288e8a5e602a7c

SHA512
20117f2dd2fb2b0b81ccdf98f178320f7b07138cce9fc258f8fb8073737bad3305c854c19ca539b224df2b265a8561b5857652959f603514b7df24a0d2847f0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
804e9b37692ad55a7f0c95582182b41b

SHA1
7fc080a6ec33c33f6b1638c5e6fe3751797f51c0

SHA256
9de7ffea6367bbfa5227b01b3e3b6dbad8f568a81137e3d77e48cf55c68b43c4

SHA512
342f78a9cc8b378092ba6f8022b47f68fca6a9e00abf512e554db977fe1b85681b24bbf926428ac16dc8f02772ffd903cdf4f90020de1d1fd20b03c89a443ddd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5817556483f3e1d19b242efe5351d61e

SHA1
9cedebb45af40128ee713c38e3e2fed388e3eea1

SHA256
e1b47e44454e941638b5e832af2cd3d0f16940fcf6ae5cc0e9b223c9168cf8f2

SHA512
e1f9aa9d5dc53bc79d817e11639bbb48ffd11c6a13d538a6957e9702971cee54c41b2229041eb819aa3ae4b963821c088428165a353ecfc67dbd1de0076a8841

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
319d4bcb7b6a3e48aa66e42da577b461

SHA1
9babe39a192464133faff6893b203f9237bd9a2c

SHA256
499af0588e91add6bcc2473a11201166667e4a5170ec9c496805634366d5eedb

SHA512
e7b235415874d1a471f4ca325c4b8cdf6791d03823693ecf11687c2f10d37d08d354225868ff42166db2738eb05b49dc571ed63d1691492e6a4bd56f6206d91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00c9e16e3c37cfafb39b1edcfdeb1c89

SHA1
c2cd1e3a57a704c8b5963db1faf59e52883c38a4

SHA256
2a05a51fa10c231872377a266174a3f2bb0cb564bbc90804cfbe9becadc135c3

SHA512
4b73d02ef3830eaa8ead8f0101f3196cf0aecca6610575cbd95d83dbe94ae6f05a8ffe1d6cfae42315efa149ddf2adce558c4b872d147df8160fb584bfb067a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e835e70677d1aa55a7743182ab7d90a6

SHA1
d67040cd7e5ac7391441e312411410fcd77c8ec2

SHA256
77c7df088964743c284ae235a34c42c12b10f6d4b0672d92f988eed756f0b161

SHA512
3f717c960de117b92dd1e1f3f8c252b7d73534470a5859989a88047dad0dde41b2f51d0ab56e3d62a4d0c85bea495a3f65b320f5eb03923229f312fafa94865a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8df00c0ff892565eb0a81cdb20623de3

SHA1
36f0b4e00d1f5e48eb84d8cf9c9b3435af9307f6

SHA256
6c4696e5456346969489a55180fdfa2b7a26305dc8a2eec031190b7ab6a1a662

SHA512
b57cbdfb8a9cc336ff7d3969420f73d227176c284b36acef1df62966b0e918cb2e60996268dc62551b25b88e3a4ce47aac03032ffb5f61aa3bf90f2fee5dea9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
37f0cd0c4c0696bb8f36e5e69036a30d

SHA1
923e7d611e6200a7eebedf0db2513cae34a2210c

SHA256
22d27b86ce0b116dbe3fc079839f882b71972c2aad9552b3d391fcebf618da64

SHA512
5b8fe4ac8700d37e50c9e12828ab5b69b2df5459935babc5991f944d763658a0921568c7667b605325e7cff894c4cf2a4a6338a1560d67743d51a96538df9b82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
88ee896656737af333f0796037055662

SHA1
ce40fad44ad1fc402b0578fc2f71bbb29ebb070c

SHA256
aa48f18e764e2d7e7d7f39554fe3e488126da15d4e075bbdc8c064cf27b11eff

SHA512
236157d513d779d0d85a7b57e1984c33255f3838d5fd992796f0cf3c3b6b62d225b206d34d91137baf9c609801057506d6103fdb9ac83f3850d1354a6ee03205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2e164b91-f543-4ac2-93f9-4e8cd6446688.tmp

Filesize
8KB

MD5
3f59e6f2420f65fbea35d7fc421f2fbf

SHA1
97ae342af082fec3be9b50ae25781406c2ab5fa7

SHA256
8fa06fa3485697be470a69c90634b4e7630f589f390fbe7d90db9df9dc832bd7

SHA512
ba83332c2e505aa398792533a3d964cd8b48bb2504a821b18aac048bd93cb7336eafd5909d6854aab51299fc3d2fbeeba3bd82e4fb9ca03109bcbef3bbc829b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\77f84bd3-08fe-4de0-bea2-f29bb16cf6c9.tmp

Filesize
7KB

MD5
16c578da405844b4997c85e77ffb3757

SHA1
81b1a69ad109f66d995b60a7be71d61278ff7bc4

SHA256
ce911a0d9747700fbf37cadb85d5c1de6ded3629133f4fc94883e5d92d9b359c

SHA512
73a3a62455db42ab9472eda1592859d1efd05fb2221ca2934d81813382d85a3dc956b379fe01dcf02628e4cb76c78e8d5a92e42eda1d32f63601e28c25e1fffe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
19KB

MD5
556e01fb5d7fa3b3a0f71bd6a5f04cfe

SHA1
ef0e9440d799338986cde24844307f90bbdba344

SHA256
8581da2c315bb6b910a2ab0c812c3d6eaf5f63605b7dc00abc699946902be89a

SHA512
c4a30bffc1bf451b7515b87b8cd001fa2e432e0ae6aff6b85dcd7e87b0ef4204aae36c84b095ee1d296f1dfd349a59cd088a0bcc590b3be05dab027d1e0e45b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
103KB

MD5
59f05483f60ee5c6b45622671aefdcb2

SHA1
463b0bb58349beb712cf9e9afa0232c742772c43

SHA256
f6904c3ef4fd4fe6ba11e88aa6444929e35afebf7eba9d24e6644f51a6717dfa

SHA512
407376a83deeac1a48da18fb282cdc35a26ea9fdfddc29a3675ba5a7ebb74a74a6f1316dc9256f13ceed160af75b87ae3a264c8a29a7f43b13cf0b7c3748cb71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
39KB

MD5
34ac27fc75f6cd2fa569d06eb0d09311

SHA1
9a218afb952ce0eaa96f51379a34468373d0b4ca

SHA256
ad17c9217e460d9d7a33ef3b715103c00ef9b12cf8b84cfb7473d48fdbcbbc5c

SHA512
d5906a574fea21038ba47d2151a17ca2c7675ab780f102d1972682ac5bf80edb590f80b0fa1a455ba028c0f57c0d1c3b97da0386504aa9b8d6f35f4325c55042

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
16KB

MD5
6a6995505b4d4aae99cf6884c1686705

SHA1
638e0aac161eb55f04147c8517d083ed306f5f71

SHA256
77db5e9514916c5be4f838810ffb9c65a53968c28afd858e5bf62333248c9044

SHA512
37332f3092bd6683707c056242ce676aeee9702136bb1c5678cf44827ca3a0a039eb554b75b5796894969635d9d32b2987e7f85ef0cadf72e199af7b4d7101bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
91KB

MD5
828b1e851bfded9d54102daffe977787

SHA1
e74c6eead3fb9f7d33aeba66d47e247033a247ea

SHA256
12a791688f0a480ce2b134da2feeca6c5df9b33d98a6daac1f90d2d5d63ea5df

SHA512
3813bd1de5e796f8ca0ac5e52e5e21a164ccb5e26ad3f8e7c16f5b1aedd3958a52eb00667583248bb267ddc90f81ce02c2885f4c9376ffa8d6142f75062928f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
45KB

MD5
74ce550cc67b11add03fb116524c009e

SHA1
20d00fd1dbd8093390e0b77299adae6666f961b4

SHA256
ba7ebcbedae19caf2cb1121a85ea98314996a9d500d66112298e89291aa5ff7f

SHA512
c2c2fff212c4edcce9f9425e58bb403761591b9e8353b8a7c0b40deb9897f4b6214e32c41b59f25660af05c64da97ab3f62889f52d81f99308ecf037070647bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
29KB

MD5
245fbc409ba8e1c0f258830a66546575

SHA1
c352ab5f28284dc9ff97e2553bff7788dee010df

SHA256
3044aa30b0496a314954ce505d088821e32a27c3ca6056d5ff9ae031ed8e62bc

SHA512
d750a169c4217a0df59c806a27cbd53f1342098cd1ed2c7295c4bc47c6740f1f3f201e6d4c03da8aef1e33f366285520f18104fc8989836592af11c961926e8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
141KB

MD5
3c78f42e52d6de58e73ae21e2cf1ce56

SHA1
95d45f11832ea39057972909c42175448ef5c1d0

SHA256
04ba5103e3c56c29fe2b756510c0404446d3ff404924b177017b2d9ce264f455

SHA512
6e47c3af7dee53c7c1a4f06582a41cde9782a25ab6928138f16babad7570483c8c47ae3e2ccd51bd0e9e42264eb4e42a5983e3dee3f92a2908b73bad8ea3a369

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
29KB

MD5
0c66ef933caf682884062ae0cbf84332

SHA1
0e2a46a4e0948b7904a57af4e09483f3b91f64e8

SHA256
33a75797721704a348e9ad8c7393597dd5eaa4f3404b0b1b857dbe790a3b6c6a

SHA512
c21af6876d53dcb4983815c432e8972717188d32f9582ac167f73b5d1e8a86d1390c4a190d306f6c920d0762a05ac55ff8458f2b071b809888f50a9e4e4be585

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004c

Filesize
162KB

MD5
75d45929ee46515dabf35cda49c36f0e

SHA1
276c7cae2b91c9ca7558049133e8857b1c47970f

SHA256
52f26094fc74436a6a269a9134b462fa44cde2c624e665fa5d7e1f024c817fb8

SHA512
92b39f0133c3814b1d24a6868735b364a634bec16c2e71ac25b9762a18d0a78186c6afec897e2fcb58d71f5b40e1d86932a0071906695a4684b0a58447e75fd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004d

Filesize
181KB

MD5
a762dd841989022c1152eb6d9597da2a

SHA1
073bdfce136e6eb6207bb5e140340e743cc39ec5

SHA256
2e3cab43ef373bef6ede61b02be8a750c94a738dc5c8b524e37c43adf798999b

SHA512
8f698178d38683463211abb19f0a087aed03b3bac526308d9113ca2315679f53eb2614f42fb53fd70f284c44dc4756e800dcad68957a6c49b29385b9feffd6c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf77b6e1.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
d1ba900fd610f7d34910db6615e1ca35

SHA1
a8c7faaad443b99cad30208bfcb5e5920aaf2341

SHA256
febd1f14772d6f73d27afdece678b9afa400d2f89d8172a442edd103992e1822

SHA512
c2513b85f55a9b6258a7faa7b90d6a42c8d3616d4ad793de63bcce43d3495d4b82322ba82b15051710cd0786e3084a63af1227f1441c9364d5dc3b9d65bbbc01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
70fa11246ace1552e06ac6469ede47f7

SHA1
9ce70bd8a07a1086aac4929e17c0233cfc0722d3

SHA256
d0d7c6c3393f7a8e55dc997b5417f6e7a2e6ef31f113748d30f4cb603ffd64ab

SHA512
d140e98ab88931f3df1226a9fff88edc9cbb6c7697521052dc5c540cb0617116c27358ff189267a5b4062470b82e3f81fb5a06e72ef3894901390b0d588618fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
10347c62ce9dae2289248a79e3db08d8

SHA1
2aa3c4bcebe18475ab6bd4fafe406099accc0ffd

SHA256
c0092d526d43a7745b57b591049721178542fa29c0e14d4dc955aa066548a649

SHA512
5629679c1b697c1059b8254029fc1e1955276479a829b331d7d66d517fbcc3d10fd56f1d663dc1d0fbd4f7c2dee11557324e9a2a0044e04e8bd12ef7b9ba684b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9959d5fb903850c382a297a81e2c56a9

SHA1
338c8340d617cedd15baad70328953d2dfeb3edc

SHA256
df09d587c102623dfc86b3950c6117b7f296fc4f1dd054f652b0c469bda6f812

SHA512
0a4cba9303d411b7df874651d03db5fdae39682527b9810a4d0c19c14e43468e3c8cd5f9c203de8fd4e36ce0104f45fd5c9c98a3f2249cbbc443cd2e047c4c22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
3b7bb76a3bb8620626b5d57074961cc3

SHA1
b2b7ea6fa4fb7eecf1e03dc1d7751eb05ec3e1a6

SHA256
029d6ffc206b643aa55f85c4101c938765371c6245499dccb73d25b57db93539

SHA512
f8f1a1bb1f667a6d71d5acecaa3df3d7b0132d646b44f3275ed9a536fe40987d900dd7e97d8a6e5730f41841c2747dc442a091f73658913cbff7c8f5794f5872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
478d2f88da52dac9c1a7a67126f22d2c

SHA1
259ad73bc202ce52fe6dff47f4979e3ba28ca324

SHA256
0e5af1c63c3f33f195b1060d59fa93009c5539e199e81121bc0f03f779fc6eaf

SHA512
d0e54cca61813b7c410199fa702d1507710b316ef378cefcbe2c91b6776796cb76ef44131381084c1949c34d84c59388989595b8bbc1b887f6b61cafb21adfa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
73ec372f46df6e85691643a45dc8c85a

SHA1
42ea42108fbaada2a8f8eb34ddbe4915b5967eb0

SHA256
f35ba67a942b698f6b15d871b2b26859774da305dd86d4ca39dac4b37f23a0c9

SHA512
2aff6c3bb1566206e3c08a4f980dfa974f7b28072e2f4ebf5c5155c9e18b33574b90f49387b2d0c8bd7cbf52c073e838d171bafeac62cadda2933e8ecca48049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
9e396a82ea9754d0f64e39052c8f78ca

SHA1
f8696aa54e0f6fb637f17237d36456d71537e374

SHA256
7f32ab3fb28a196e866126a8199a499adfbacb2e3c691f0b64cc1e99ba72bf7b

SHA512
eef37529cc01934365135b7f8afe1d0fa1de3154695345617c5fbf225e2323752a1b3735d864258890c31b80d8ba088a968379e031f4cd29526604a4eb139bc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b6670a75b260d6287d7510bc3cfa5c24

SHA1
93de85385b70b750b2e70043f3126c661307e4a0

SHA256
b0c64fa603474f20fd423b4099fd5bc72ed783762a078d82c7cbaeb72a8f90e3

SHA512
379bff3b326e5feed670351b4b28b8432d1d074f6823f580d7f835d37506b345ddbfc76d102273d3ecee3bbb93d2cbef065723ae1f52b045d6e4710e29c8e8c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
153662efd0ac08c0066d1a3ef06ba283

SHA1
e255f339e824ac313eab47db217b8bed4bba9e93

SHA256
e3bdf36e9c96718d4381e5bc53254b2c6cbc419f2312c6736179053ecb413bc7

SHA512
ae231e7550babcccd99db2959e0f31ab7da8a6686de444a612ddee0ff0c41d7ca218bf1718177a2ebff133085c8a2d58bba9d3be028f108b028c410a8c28dd47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3443da1826d6a3d731e51be27799da46

SHA1
bade73bffd50ec6eb130c12b611090374a06152f

SHA256
e1cabbb0ec92def70598b088dc0eece32d6c174aa78681c7975f5a0a7ca6cdda

SHA512
cccbaca7c3c827252729109f9e09a10fbe6c1bfd789171822cf373b6d99f710d953dc913b66af5c4deaf35529ffd2b0b1b46ea6ae5d6d566fb34c8fed57a61e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e0b7195b2f4a0fac89773f4bd16f77a1

SHA1
50bb904670f8ad4c8d21e5a2800b58efc78b2b47

SHA256
2dcf2a50cdc026d07bdeba0461ea030580657817ca56b79a8b928a690fe42f56

SHA512
9a7fe1bd897e723e1c59333cf631ec048761707f8e8c9f0ae22e8bfda9073c162247ac0ed140055613d79d4120c378b9fa650c3a3a88c0dfca7e348894446f15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
01dca89a612f1617509a7149096200de

SHA1
b6fb666fc7a7bd0ffa7ea11db2be7f5429b26be2

SHA256
b2edc20f4fa81a65f889dfbc115ed53bbde85fd378d5acfa5bb61338619c1da3

SHA512
c2f4d3efd4e023791b2f5a470ab0f68c8135ccf106ffbdf043ae271f7bf68f224d66c5846dff4a4dd7fd02b3a147f829a8fb3977138cdd49624067f5a7c30b01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
49d975c2e4b96c4c3777aa0051afe791

SHA1
9a3a3997b70be0368ce8a3380920721c6c516135

SHA256
0050ed0784d67035023688e9ad3fe96f9f41e08e9910c7c794f38cf937ad2ccc

SHA512
14a2136bd0c2769e37a3f2f245f2fc6fb098f5c7c7d250657b3bf3f7acaa62d11415e4566fd4d79543ee9d1ac915906fae85de73f42546285e5df4cf574f7431

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f3053ba99ab2bef8713ea5e7ff6a7970

SHA1
3f16253957f00cf8ddb1a73282f67506f23e4a9c

SHA256
92799d2679a76a2b211da62f61d0aa81e599f2371753b30726ebdafa9a3a0fb4

SHA512
ede3451650925fbf402dd3094258ee391ff818dfea09dbad091ae2ae1a4bb78bcc95439bee3e39a6c3a934eb50bb54f6c524be5be2abcf7c5cba7c591c1afef4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
271KB

MD5
9d0878b481bbf152ecbb3590380757a3

SHA1
8454ac1235b44299e42e70b9e995722b78170c11

SHA256
2deca9b2e3368d9af81a29c9c054889fcc9f1f7a0ef603d8d2880d1113bfa584

SHA512
49dfd5c3e9eb53b90cf6302f271805a4ea1ce768f17e29cda3adf6056f50feaa3598fda03b4577236081ad1392ec9c5749491aaec233c374f5763bddbaeab507

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
271KB

MD5
5dcd911d8d8c4cf69ef461816afb5bd1

SHA1
47881434d998416c951c11c6710b3dc853e65ccf

SHA256
ac7ef47db6cd05686ffab9cbd7ea07676eb3c63c9d4ab6abf8bdb543fd3a23d2

SHA512
f068ff701f6a8f1fe00a638dc5c3a6560df11bbc709032e8d47a1cc5ffc2ef392d868052ad945d0f00edd044785e3127dab563c2932423c2dd1b5a2057394327

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
83KB

MD5
61bdccd028f5b4643a1cb0e57758e373

SHA1
db0ae77afef328c397400de8016ccfbba70d0e64

SHA256
907866fcce1652c7027ccff7ddcdcb7dceb29b8e24b669f56273fced220ab78a

SHA512
39491ef9c09c077cc28875de3e4afd338dcbb59714d96134890143343f537d97a397fe24dcfab66c53a319f61731b6861b27eab554315a4416369c230cd979a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
75KB

MD5
9168d2d69207b73cdf7ae6015adb1d99

SHA1
2f294bee84fcd170785fc080578132f46da02fc5

SHA256
0affd57e75fe1b587af10b15e5d43cb6be69710c5cd0e33c4fb2ef1799c892b1

SHA512
33fa1349326fc2da2d87156428dbe3199142ecd881267496aaa41a492be5d00c313c7c67a7a476a5f4fb84f52816e814afa306f5c1d20c4351266a6f43368a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe

Filesize
10.7MB

MD5
cc7933b503e061ddde7158e108f19cc3

SHA1
41b74dc86cc1c4dde7010d3f596aacccf00b3133

SHA256
049f48024f31d86c5d8bf56c3da1d7be539c877ad189fb0c5aa9a228601d19eb

SHA512
87892a6f3e41ea43157cf13cc6402044ce41fd3d7eb7e456fced894c88d33786a80fa626c1b58436eba94997490256d2675598ba2e54b52affa64f5491c880a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe

Filesize
2.1MB

MD5
208bd37e8ead92ed1b933239fb3c7079

SHA1
941191eed14fce000cfedbae9acfcb8761eb3492

SHA256
e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494

SHA512
a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe

Filesize
304KB

MD5
84bf36993bdd61d216e83fe391fcc7fd

SHA1
e023212e847a54328aaea05fbe41eb4828855ce6

SHA256
8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa

SHA512
bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe

Filesize
518KB

MD5
c4ffab152141150528716daa608d5b92

SHA1
a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

SHA256
c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

SHA512
a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe

Filesize
1.2MB

MD5
0b7e08a8268a6d413a322ff62d389bf9

SHA1
e04b849cc01779fe256744ad31562aca833a82c1

SHA256
d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65

SHA512
3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe

Filesize
778KB

MD5
05b11e7b711b4aaa512029ffcb529b5a

SHA1
a8074cf8a13f21617632951e008cdfdace73bb83

SHA256
2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa

SHA512
dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB784.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp675C.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1724_133613532805308000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1724_133613532805308000\stub.exe

Filesize
17.9MB

MD5
5ad46542eebe9910891770d619d7c4fa

SHA1
38b3d062740d4a350c3329f4e5d7627e4a980ef3

SHA256
6b0281ff5ec47dfabd801ecde7e55513e556ca6763a557bfb8f2c07b0e739bd5

SHA512
426aa5a0453dc0ad2494d43fdfa7d6c35f19770026650db413234859c34e9a1371272942e96d8741594a47832c4fb4391c217911bc65c6434d621f01995d1e64

Download Submit
C:\Users\Admin\Desktop\Rkill.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\rkill.exe

Filesize
1.7MB

MD5
6d622dcc87edc9a7b10d35372ade816b

SHA1
47d98825b03c507b85dec02a2297e03ebc925f30

SHA256
d4ac5b3c525a5fd94019d80ff81b552e73b19b1bd0a554b9609cdd5e1b00955a

SHA512
ed06f872a7c66ffeeb8cb8f6fedca06ccabf623f9cd188c4c7105428e8d6521ef8da0bac0564e14d2da914d2846369a9c04577a8cf7fb80cb62831e5497f2a58

Download Submit
\??\pipe\crashpad_692_MYORXTTUXGBOTAJI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

Filesize
1.8MB

MD5
26d2630ef6f3b919dec5e2b5af18d32b

SHA1
4e650852f83a3b0d2b0fa276165dfa291282fa5f

SHA256
bd98d85fc24e8c6652396b25667273c74a2e29575e8aeb38f2fbb4ffa30524aa

SHA512
90ac6b5ff3a8c8c5fbb0cdd343231b8a994c171d65558e683b06534b48f6923c1cb99d0ceed0eaccdf606f9aa2759b7e2d9b2c46af6095d80b6c7f091e70a214

Download Submit
memory/1704-158-0x000000013F890000-0x0000000140AC5000-memory.dmp

Filesize
18.2MB

Download
memory/1724-209-0x000000013FB30000-0x0000000140605000-memory.dmp

Filesize
10.8MB

Download
memory/1724-241-0x000000013FB30000-0x0000000140605000-memory.dmp

Filesize
10.8MB

Download
memory/1772-109-0x0000000000C70000-0x0000000000CC2000-memory.dmp

Filesize
328KB

Download
memory/2596-15-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-21-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-19-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-508-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-211-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-355-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-210-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-186-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-244-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-120-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-356-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-1424-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-245-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-18-0x00000000011C1000-0x00000000011EF000-memory.dmp

Filesize
184KB

Download
memory/2596-1502-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-264-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-1466-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-1285-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-1182-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-323-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-352-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-22-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2596-248-0x00000000011C0000-0x0000000001681000-memory.dmp

Filesize
4.8MB

Download
memory/2656-91-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2664-14-0x00000000071C0000-0x0000000007681000-memory.dmp

Filesize
4.8MB

Download
memory/2664-17-0x0000000000300000-0x00000000007C1000-memory.dmp

Filesize
4.8MB

Download
memory/2664-5-0x0000000000300000-0x00000000007C1000-memory.dmp

Filesize
4.8MB

Download
memory/2664-3-0x0000000000300000-0x00000000007C1000-memory.dmp

Filesize
4.8MB

Download
memory/2664-2-0x0000000000301000-0x000000000032F000-memory.dmp

Filesize
184KB

Download
memory/2664-1-0x0000000077DE0000-0x0000000077DE2000-memory.dmp

Filesize
8KB

Download
memory/2664-0-0x0000000000300000-0x00000000007C1000-memory.dmp

Filesize
4.8MB

Download
memory/2932-249-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2932-246-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2948-212-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads