sodinokibi | ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195

Analysis

max time kernel
126s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
Size

115KB
MD5

63a945da1a63a8e56e8220c4ccf7fd0c
SHA1

a99cf1a2426edeac97c789d0a4b7d38606d7aa45
SHA256

ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195
SHA512

34006d84587ea90e243ebe0dd6bde8bd502ed688001a412898cd4e4c16a5de5788a9fa4c53d3ea79e4307adaa74496e05b205bf9717ac833db976551b1a7c89c
SSDEEP

1536:ikB/Ih3+7QuoZVQgf5GV2jSzGpAyZ4ICS4AwnfxnuLdSbSmoNUExd9M4dgS:gFW7gSzKDin5nWhw4dgS

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Users\swffdjo9-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension swffdjo9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). We have copied financial files and other important information about personal data, it will be published on the Internet or will be used against you if you do not pay us, so if you do not want such consequences as customer churn, media coverage, fines like GDRP and other damages, we recommend you to contact us and pay the ransom. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/98B7F72715337990 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/98B7F72715337990 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: THVb9zYTY57nKUTpGGU9boBrXQI35ximAUMtDowhX2Y46nSvCkNrcng25xpJhedn 9Higv1HOErp31KMFMWsLnpYyw8OaSTuL3LQ1fhWLFHVz2BLf/w94Z2H+xqOGJPxJ AEQCy3KsNd8TPPs4WaMEUDxcpk62evFh2L5tIXIz354c9Ao4dWIb2hHLF87IlL7c 6y3AT0+0eIwMn2wjefsP51ZjRPwq/mdZBuILSKbPR2Xo79XUlnZROsiOtVN5ifyW 160bIaPn4xSUSA0fx7+v+l3D+/lw54UL2Hc4IQg7kuXZiiDqYpaJ/8IPOxq0E8tI W3j4hRT5QIzCVAQ/3+bhRn+bolG0LyrnsNNCSW4n6o5yzlxZqNCMcV8dwBbxBpUr yfh0839EuDfiCjbxmBybGhLF9SaUQV8ei023gW8+1jHsiKpgpvKQt5FQvGN+Zley +fdIiaxGZAzKeoHJsS6oW5OUr4hzpTVoZNrAyASWgm4w7wjr8ZR46j7hmGkK7jLd XbJkauGEZfNrC6GSEhvWJBtminFo4RvMZ8gBByzq2DQfk3hen0phfUk+4vz4jlKA zO3A2ToaMDTz+DDHyAXW5ptvKQZIzy4sZE8sdhLysZ77Q5TFd/LwwocSN33+c03N jkNO+omuoUjdBVHHo/3S1lP8tYIowJmoxN3QZga8bT3k4884yWnQZV87OKDENcru eIKNemNRTJGMcY4rZXKadkUNkF43z6ynRAUv+kLQ573tlzlRrcjDTSPFfIm1kZl3 9E05f+8Kd88PuQ5+MZ37ynkrl5ccfVGgPfqEtMTJ3Lq/dzImINsTIKhCeIXzfjae i5jDGo9MWpdS3MRL7SVhC8zkKr2rd3t/mW4ttdu7HkGolrbaL+7ibgeYjA0Cn705 Cu8C+dHONYCEA01P2BkayRI/3VQ6D0uKrRNXK8GzsTe+5XrvJUcDhpbGpDn+MwRA 6hfU4lfn3VE9VnAFvGquWRnD2f/5j42gY+37ZdtgBAB6XA9ycmfoWctTPZQifNKR e7ySymyGDqewPztU4m50ed1QR86qPaMFuBT2xyUk7dC/ovpoSmcM8RUJxh1wPPLH h+7Krtm28fL/vUZIAD/IpN7nqNdBhwEWzNGCnezu4/bKpsde+acckFfhdiXi6gD2 zulxCAXhDzP8eUocPNYqJOVWA8VgQDVA0FmaasXBeomk6IbH3PNc/RgwWnI/ZsDf 9lF95QfHvXuQ9LXkl9CPBDnyz27RD4z7Ni4iLJ6sQqFA/VW9UG55qrCWjWpWYrmT Lxw7iz1Dd8FAzsUr6tVxhvhl5w2kTfbmOcYv3By1/jaNoQVbwMhOEZb7/EK8kXK8 mb+Z6Z9tTOb8Aj6RzBCqnBHm5Tk5dIdWpM9KOpo/0sC76KyCcnOnm5US ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/98B7F72715337990

http://decryptor.cc/98B7F72715337990

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\O:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\A:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\J:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\L:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\N:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\I:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\M:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\R:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\V:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\K:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\S:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\Z:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\W:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\X:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\G:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\H:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\P:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\Q:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\U:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\B:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\T:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\Y:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\D:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened (read-only)	\??\F:	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w25le81.bmp"	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\UndoSync.mpeg	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\UninstallTest.wmv	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\UseOut.mid	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File created	\??\c:\program files (x86)\swffdjo9-readme.txt	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\RevokeSend.wma	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\SearchResume.txt	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\UnregisterWrite.mpeg	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\SubmitCheckpoint.mpg	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\UseStop.ppsx	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File created	\??\c:\program files\swffdjo9-readme.txt	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\ConnectAssert.js	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\RegisterMount.ADTS	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\RequestCopy.ps1xml	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\RevokeHide.crw	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\SetJoin.pcx	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
File opened for modification	\??\c:\program files\WriteNew.ttf	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629264275010705"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
4512	powershell.exe
4512	powershell.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeDebugPrivilege	3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeBackupPrivilege	100	vssvc.exe
Token: SeRestorePrivilege	100	vssvc.exe
Token: SeAuditPrivilege	100	vssvc.exe
Token: SeTakeOwnershipPrivilege	3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 4512	3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe	85
PID 3804 wrote to memory of 4512	3804	ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe	85
PID 1908 wrote to memory of 4956	1908	chrome.exe	101
PID 1908 wrote to memory of 4956	1908	chrome.exe	101
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 2720	1908	chrome.exe	102
PID 1908 wrote to memory of 272	1908	chrome.exe	103
PID 1908 wrote to memory of 272	1908	chrome.exe	103
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104
PID 1908 wrote to memory of 2696	1908	chrome.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe
"C:\Users\Admin\AppData\Local\Temp\ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4512

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:100

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\swffdjo9-readme.txt
1⤵
PID:3840

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\swffdjo9-readme.txt
1⤵
PID:3320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcdcdcab58,0x7ffcdcdcab68,0x7ffcdcdcab78
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:2
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:8
  2⤵
  PID:272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2292 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3808 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:1
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:8
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4636 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4844 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4812 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4164 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4312 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5056 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1968,i,10323346119196957492,2015298316286170098,131072 /prefetch:8
  2⤵
  PID:4924

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
605f13e4eef1a9c06c938436f88968e6

SHA1
616005bed33ffd02f5b193319e85a66afffbf854

SHA256
5fcc6026d99ac151fc3b28ae3e825182bf281e8a544000b841126af37b8f7387

SHA512
eb116ac50c856ab7b369cea4817a4300a914c61a0c830835ec721ec321dcbdad37996ee328f4fc6bc9eb4ce3e556726afa7e5a2e71341d54b3fd3f5df0d8247e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\05360459-8b80-4eca-b2d0-edbbdc4058dd.tmp

Filesize
2KB

MD5
89a92aced05ba866dd1c79b7e4326ff2

SHA1
a8163c30ce674cda026627ae297d01e459591817

SHA256
b0951837de211ac2153baac401bc17926d532677e9f551d6ca06091e7e72dee3

SHA512
3327df7c5b5a6f16f3297636a65467113ed434be805b80a8e8050f1e4acdcc6cd43039c43180a9f790b2546b8c6ffad83de46f8463b823d72cae7a2eab9da273

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
61332d8a508adffc4882521d0cbb48d2

SHA1
915fd81d15ae034d2ea04282a8e851bedfba5593

SHA256
377991fef8ed4018a88c6ad571810de8433dfcd5ad66b98d3d33426134a3ab8e

SHA512
3a723d0aedc8cdbcb41e112a4b813d107fa1c45424d0c2658c24ab2954c1efd20befd7a08605df08696a02daf04b84a67aeb9feaf325c47832675aa149c94ae7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
08ca3e796c8e11af528d2b65e4b38165

SHA1
2597b9af92d23a5dd6bf019b186cad55ce95458c

SHA256
5edef192d1000a57c79fda9cd88fe7fa7d2dfcb52ce9a051f2bbfbed6ec226a6

SHA512
c9ada160f7881dfca4286b777c13f9e43f5b25c80ae59d215e5b6bfcfe548c32a08b840c1353368112023d05ad52ae67ed1f6572280b7c378a1385ee3469c018

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f9d474a25ea3108ec41a7f1a63032ecd

SHA1
7c10240c98ff00d7af95a79c099e70671407a897

SHA256
a5b1583b6336e9e25375dd3117e3e90a862f29e186dfe48a95a4d419c6db597f

SHA512
564bdc7060e9155dc7e232c7a31e49f173fa3cb4dd13291dda3efb074ff27141ac5287c2e41a442e5173771990c9dd39e9471924f7b88fa60fab778030ca5c4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1b4b50751968cf805d68087cc4ae86cf

SHA1
ef3b33920cae05825df0a6973ea4ffd7726fe905

SHA256
f7d995a72979891fd44786297e5d8aca79bd987055b7a5815485ceb075c60b79

SHA512
0477ab9131eacb9215d65ecd26d969eea1fda0ce7808b927335af0e37cc8842cf4f698c2ac6757dbdece19b1924119beb0817400cbe39288cc77ddaa361c910c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bb658de28b0d11dc3fa91424769264cc

SHA1
46a5e93da3b7f03b3fcec5eba78495bec9df63f5

SHA256
c382e733bdee488d742a5c85b3fd1b1384a9c0ef286407d0ca49c6631160bb7a

SHA512
6bc79d28611bff08203397e08899a9eddb0ee7345ac89e8d9c3a137ec28eb3d31f00fec47354567b4cd949a167f8114dd3fc7a7b1f9545187228ceeb813315ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
e2f05c64eb9d3730348e3162f6fdf3de

SHA1
bed6a06e5ca8f5ef8438f92061d5e29070d890e0

SHA256
39aa2ec09131ccb78fc31062ce3e10d9c514d7e5ba1404cde2c106d371c46153

SHA512
dcc7329bce855626f0c464a776e9a0a2930599bc5a206309ab19a4173c97ebf0217ac5e0575efdbdd5b002534d764c1a2769ef9593e2c3880e8917b0528d3dcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
276KB

MD5
052c783ce92943d6a1f627f72b68da08

SHA1
79c3eda641599fc5ee443969babe90a66cc615d3

SHA256
f8009abe459fce4ef7ef8f05ab26038a7217ad3919c7df480bc6436709a8af1e

SHA512
c75d30cb9f9dc04f241d93daa636a0d163b50430b7e09177d6f752761ed95a5fb7e5976268e9ba246fa3317286fe17615bb39142dd2057696c01d61fc934934d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
276KB

MD5
308282d02d4d82c968661f5aada97cf3

SHA1
956c588c5c9f0418ae841ce92c99aa3d04561123

SHA256
56ebbb1d4368947e98d93db555bc0679909251b186a5ec03625b9e4ef1d51084

SHA512
115c5d1f38aa3fd0c1fb451fe12745d3be9aa61b5e683af6bc55e1d56de8f16fc969e32b1d73ada4d43cae57cd643cc5be59358d391de0474f54d019dd7701c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_llsjbwh5.yl5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\swffdjo9-readme.txt

Filesize
7KB

MD5
9f20627f879c79bec39473697e707b25

SHA1
76ac21ac13f38992e9384da676a55493b1082b87

SHA256
9bf9eedd4fb245a8ca5d4afe59d71eb070cadc475111e6e9ca711a2b8727b1e2

SHA512
20af665a0b6417a7e24aaf4a98725c6abe694a082ded2c362c67f1fa8bfb6026a5230f6e37e9172b140e7df035daee50532a7288647ba374a1f69d2dd2ab5766

Download Submit
memory/4512-13-0x00007FFCEAB80000-0x00007FFCEACAA000-memory.dmp

Filesize
1.2MB

Download
memory/4512-10-0x000002CB7AA00000-0x000002CB7AA22000-memory.dmp

Filesize
136KB

Download
memory/4512-0-0x00007FFCEAB80000-0x00007FFCEACAA000-memory.dmp

Filesize
1.2MB

Download