wannacry | 19a087166b899e4f6c63c76e3a8978a2429ed4e3f2479299c4b2a3f8872f6e3d

Analysis

max time kernel
502s
max time network
516s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-07-2024 12:58

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Wallpaper.zip
Size

1.7MB
MD5

a66b6c0725433bb071089bb84bd0186c
SHA1

c45338281936074cab03d2bba30e899cae8df29c
SHA256

19a087166b899e4f6c63c76e3a8978a2429ed4e3f2479299c4b2a3f8872f6e3d
SHA512

3e93794fe6d7048a452a685d6a65457061467b8715fd59769db4f8d62141d95505a50135a7ecd5b3684f911b94d34320335de2bf71854dcc94a6d285b3ad9a6f
SSDEEP

49152:Rz5/rgN4ypUO9DJmePL4IFMt7wQmKX26ktvAxkulD7Gm6rD:N5zQQ+L4yQm8ZkuCGOm6rD

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD174.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDD198.tmp	[email protected]

Executes dropped EXE 10 IoCs

pid	Process
2772	taskdl.exe
1780	@[email protected]
1868	@[email protected]
3364	taskhsvc.exe
3772	taskdl.exe
3696	taskse.exe
784	@[email protected]
3164	taskdl.exe
2376	taskse.exe
3168	@[email protected]

Loads dropped DLL 18 IoCs

pid	Process
3904	[email protected]
2504	cscript.exe
3904	[email protected]
1280	cmd.exe
1780	@[email protected]
1780	@[email protected]
3364	taskhsvc.exe
3364	taskhsvc.exe
3364	taskhsvc.exe
3364	taskhsvc.exe
3364	taskhsvc.exe
3364	taskhsvc.exe
3904	[email protected]
3904	[email protected]
3904	[email protected]
3904	[email protected]
3904	[email protected]
3904	[email protected]

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1748	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oipzgxjd460 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
140	camo.githubusercontent.com
145	camo.githubusercontent.com
148	camo.githubusercontent.com
172	camo.githubusercontent.com
137	camo.githubusercontent.com
141	raw.githubusercontent.com
142	raw.githubusercontent.com
149	camo.githubusercontent.com
173	camo.githubusercontent.com
124	raw.githubusercontent.com
144	camo.githubusercontent.com
154	raw.githubusercontent.com
128	camo.githubusercontent.com
143	raw.githubusercontent.com
146	camo.githubusercontent.com
147	camo.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3392	vssadmin.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000102d7195b7e1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration."	SearchProtocolHost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings	rundll32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2908	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2116	vlc.exe
960	WINWORD.EXE
1664	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
1108	chrome.exe
1108	chrome.exe
3364	taskhsvc.exe
3364	taskhsvc.exe
3364	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2116	vlc.exe
784	@[email protected]

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeDebugPrivilege	3028	firefox.exe
Token: SeDebugPrivilege	3028	firefox.exe
Token: SeManageVolumePrivilege	380	SearchIndexer.exe
Token: 33	380	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	380	SearchIndexer.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeBackupPrivilege	3404	vssvc.exe
Token: SeRestorePrivilege	3404	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
2116	vlc.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of SetWindowsHookEx 62 IoCs

pid	Process
2116	vlc.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
960	WINWORD.EXE
960	WINWORD.EXE
960	WINWORD.EXE
960	WINWORD.EXE
960	WINWORD.EXE
960	WINWORD.EXE
960	WINWORD.EXE
960	WINWORD.EXE
960	WINWORD.EXE
960	WINWORD.EXE
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
1664	WINWORD.EXE
1664	WINWORD.EXE
1664	WINWORD.EXE
1664	WINWORD.EXE
1664	WINWORD.EXE
1664	WINWORD.EXE
1664	WINWORD.EXE
1664	WINWORD.EXE
1664	WINWORD.EXE
1664	WINWORD.EXE
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
2668	SearchProtocolHost.exe
3592	SearchProtocolHost.exe
3592	SearchProtocolHost.exe
3592	SearchProtocolHost.exe
3592	SearchProtocolHost.exe
1548	firefox.exe
1548	firefox.exe
1548	firefox.exe
3592	SearchProtocolHost.exe
3592	SearchProtocolHost.exe
1780	@[email protected]
1868	@[email protected]
1868	@[email protected]
1780	@[email protected]
3592	SearchProtocolHost.exe
3592	SearchProtocolHost.exe
3592	SearchProtocolHost.exe
784	@[email protected]
784	@[email protected]
3168	@[email protected]
3592	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1872	3052	chrome.exe	35
PID 3052 wrote to memory of 1872	3052	chrome.exe	35
PID 3052 wrote to memory of 1872	3052	chrome.exe	35
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 584	3052	chrome.exe	37
PID 3052 wrote to memory of 1304	3052	chrome.exe	38
PID 3052 wrote to memory of 1304	3052	chrome.exe	38
PID 3052 wrote to memory of 1304	3052	chrome.exe	38
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39
PID 3052 wrote to memory of 2600	3052	chrome.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1296	attrib.exe
3472	attrib.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Wallpaper.zip
1⤵
PID:2280

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2712

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CheckpointSearch.ogg"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5d59758,0x7fef5d59768,0x7fef5d59778
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1384,i,4983923197139735829,2227545985947651059,131072 /prefetch:2
  2⤵
  PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1384,i,4983923197139735829,2227545985947651059,131072 /prefetch:8
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1384,i,4983923197139735829,2227545985947651059,131072 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2252 --field-trial-handle=1384,i,4983923197139735829,2227545985947651059,131072 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2260 --field-trial-handle=1384,i,4983923197139735829,2227545985947651059,131072 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3216 --field-trial-handle=1384,i,4983923197139735829,2227545985947651059,131072 /prefetch:2
  2⤵
  PID:1684

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1596

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:784
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.0.586011051\66456794" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1240 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dfb08d9-83cc-42f1-9336-a9d19f617ff6} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 1312 108cd458 gpu
    3⤵
    PID:2188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.1.580859498\1706990311" -parentBuildID 20221007134813 -prefsHandle 1504 -prefMapHandle 1500 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41965362-c731-4d3f-99c2-648b07d102e9} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 1516 e6fe58 socket
    3⤵
    - Checks processor information in registry
    PID:2372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.2.473176714\1107958815" -childID 1 -isForBrowser -prefsHandle 1844 -prefMapHandle 1796 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77b210ad-6c30-4ad0-9bec-bdefc3fe9456} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 2160 1ad7e358 tab
    3⤵
    PID:2280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.3.1099555060\377380975" -childID 2 -isForBrowser -prefsHandle 2448 -prefMapHandle 2596 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {893cb9a4-bb36-48fc-9bb7-6d25d6b301bf} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 2388 17ac3f58 tab
    3⤵
    PID:592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.4.570549637\1675166541" -childID 3 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b252f80-3e4f-4993-b8fe-b2a511a55d29} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 2996 e62258 tab
    3⤵
    PID:2092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.5.1751368306\1199658274" -childID 4 -isForBrowser -prefsHandle 1080 -prefMapHandle 3816 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6fbbc75-cda5-40b3-a92d-04e30913150e} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 3832 1d2e3c58 tab
    3⤵
    PID:2788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.6.413658532\856276955" -childID 5 -isForBrowser -prefsHandle 3940 -prefMapHandle 3944 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf81f353-ee12-46a0-95fa-aa28ebd3bb71} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 3928 1e54e658 tab
    3⤵
    PID:556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.7.110093210\1312008127" -childID 6 -isForBrowser -prefsHandle 4120 -prefMapHandle 4124 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {824ffad9-1351-40d9-9d1a-2aaa5b87f2dc} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 4108 1e54ef58 tab
    3⤵
    PID:2432

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1712

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:380
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2668
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
  2⤵
  - Modifies data under HKEY_USERS
  PID:1628
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
  2⤵
  PID:3856
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3592
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
  2⤵
  - Modifies data under HKEY_USERS
  PID:3616

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RegisterUnlock.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:960

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RegisterUnlock.rtf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5d59758,0x7fef5d59768,0x7fef5d59778
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1340,i,10852303166864379632,7597251296078806062,131072 /prefetch:2
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1448 --field-trial-handle=1340,i,10852303166864379632,7597251296078806062,131072 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1340,i,10852303166864379632,7597251296078806062,131072 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2164 --field-trial-handle=1340,i,10852303166864379632,7597251296078806062,131072 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2172 --field-trial-handle=1340,i,10852303166864379632,7597251296078806062,131072 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1564 --field-trial-handle=1340,i,10852303166864379632,7597251296078806062,131072 /prefetch:2
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1400 --field-trial-handle=1340,i,10852303166864379632,7597251296078806062,131072 /prefetch:1
  2⤵
  PID:1152

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1976
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.0.1891462759\662012124" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64d24dcb-fe22-4dff-8952-9d77facb906b} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 1304 e9d9158 gpu
    3⤵
    PID:2988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.1.1859239551\920774057" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e56ac2b-aae5-4c04-983c-14ed0e1d26aa} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 1496 d72e58 socket
    3⤵
    - Checks processor information in registry
    PID:1192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.2.936223580\2052218447" -childID 1 -isForBrowser -prefsHandle 1900 -prefMapHandle 1764 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 816 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {294f2235-d448-4681-ac48-95c7cd612aac} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 1080 e95c058 tab
    3⤵
    PID:2532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.3.1580935771\221574641" -childID 2 -isForBrowser -prefsHandle 2704 -prefMapHandle 2700 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 816 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9acced1b-05fb-4cdd-8039-e9d3e86904ed} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 2732 d62b58 tab
    3⤵
    PID:1008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.4.315275235\1123339564" -childID 3 -isForBrowser -prefsHandle 2868 -prefMapHandle 2864 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 816 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e31f488-f34b-4ce5-b473-12cf475bbc7f} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 2880 1bca0b58 tab
    3⤵
    PID:348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.5.1729603688\1721957960" -childID 4 -isForBrowser -prefsHandle 3492 -prefMapHandle 3732 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 816 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba159501-31fd-41e0-916e-75ee71de0504} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 3748 1e778a58 tab
    3⤵
    PID:2672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.6.1810764088\989031849" -childID 5 -isForBrowser -prefsHandle 3836 -prefMapHandle 3872 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 816 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98a79122-d17c-4501-b649-aa65bccf4a2c} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 3860 1e77ab58 tab
    3⤵
    PID:1832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.7.1809597830\2127324446" -childID 6 -isForBrowser -prefsHandle 4044 -prefMapHandle 4048 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 816 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7da5114b-086f-459d-88d7-0f74a0097bf0} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 4032 1fe08e58 tab
    3⤵
    PID:2180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.8.1118771668\1336278216" -childID 7 -isForBrowser -prefsHandle 4356 -prefMapHandle 4352 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 816 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3479ed73-d26d-455e-b478-1c59ec28c2c9} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 4368 20b5bd58 tab
    3⤵
    PID:3448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.9.1597055138\774755856" -childID 8 -isForBrowser -prefsHandle 3828 -prefMapHandle 3036 -prefsLen 26715 -prefMapSize 233444 -jsInitHandle 816 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd2b941d-eea1-4e99-bd7c-43cd70a4e034} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 3040 1fee9358 tab
    3⤵
    PID:2224

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:3904
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1296
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1748
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 165091722258356.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:904
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2504
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3472
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1780
- - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1280
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1868
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:3280
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        System Location Discovery: System Language Discovery
        Interacts with shadow copies
        
        PID:3392
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oipzgxjd460" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oipzgxjd460" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2908
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\Wallpaper.jpg.WNCRY
1⤵
- Modifies registry class
PID:3304

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:3552

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnlockUndo.MTS"
1⤵
PID:1488

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnlockUndo.MTS"
1⤵
PID:1628

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
84ca72efbf79e289bcc90292b8a5580b

SHA1
e1246a230739351a44850d75a27bc8052a9462bd

SHA256
9c7bc0480510edd003dc9ee6c8b9cbd42301900b8dfcafc18698c896db1aea1e

SHA512
4d037f7fea337a3343456a7c5a7253f38e479faeeb260a189877c752941f81dc6ff55a1087a78f53251428c49979f4f5fd57580cecb4ce146323b4060df0f877

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
34e3a180bf00000e94ed10d31033aeae

SHA1
5f6c52ec94f364a297667d638204214a5ff57ac6

SHA256
7311c6cc07a01c8dda0385ac73a5d89a57e73487fc40a314d69e0821b58d3c41

SHA512
b190c938d04cdbe678e2ce2ef6f21bee1ddaa113009ab783cfda9947ee742f27d77e2868fa77ca17c4a5d712f469911459fb61e8ca71b3d02398477912acba44

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
99c061f909770f067ddd1a79af5ad943

SHA1
09849ce5be55af36bf24e14b97348b6141710a3c

SHA256
f8d84f0983ed452ea131f762a1f171a9a6ab42368cd60f46fedf7388c5151b7c

SHA512
c28e935f5a076c8f2a2616a05acd18dbdf81be1e00f70733746929045813830ecbf792b3298744c94737b9df3c6684f7f02168a1ab524f2e9e1ea7d385d549f6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\@[email protected]

Filesize
472B

MD5
013c2aa14753b74057eb294ca2aa01c2

SHA1
d797dc4d8b2e6b233bd9b8becaa18f8a4d19cf33

SHA256
fdbc9fd8a94228f803d0b26220a38e25276beb2febf384f143dd79549eaf35fa

SHA512
71014129a127e2fa10f1f5296893c856ffba008dbcca797749d82f4413a86dbe6c030759be511dff05b25f271af0b18b161c04ede394a4ff17a2e569d1e03404

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5ce5554c-c924-4f67-8d65-69f951d8946c.tmp

Filesize
160KB

MD5
a89417f30a1a2c802b8dd99b9cf86339

SHA1
4c05788d7563cdfd162fa464dd1fc7f80b32fc2e

SHA256
c2d615b6ad5c6ff772770ca10383457d7ffb0eea41d3e317ca60aa8151a426fb

SHA512
0505c65d90d63026ba43ef42a4bfd1f003f6c3484885aa26677f93d5d9fedba7bdc3488e297ff6899a4fc058ae2973bc1f3afa9e3235e9455351250d05c03546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\9611f650-3a91-4c90-969a-33509eb8b551.tmp

Filesize
311KB

MD5
20f55456275f3108ef35377abfcd799f

SHA1
4ad3dfbd01f26325bcc18a5948d99792d4a2dda1

SHA256
cf742b1278d704c245b4c808d3086203ca1e6e0a15a834b19e4f624feeb309c8

SHA512
12a7e7387ced75bd7905b80d7092fdd98c0e2e1c203af4eb406292bef4eca354c0f5796006b7acd58325f0a8c388f097c4730a050dfb11b078b62ae5b91c5615

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ca884b9f56c1a54418d0567909d733d8

SHA1
784a175d1f780cae1ebdcae0b76a047f054c98d1

SHA256
c6f2142ff52f3bcfd677b1b5c884b586d878fa10267495d5a2643c3119f074cb

SHA512
2da2a3853922d08eb9cd5c52167a2574e179bb660726bcc251481ce81840f7e4de0ba11d39256019b0a43f76f9674ddfd6e2b75ffe2a6cd37aa26f8dcb5fe445

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
3ac93fb60cd2ec48d5acbfb0e2cbc0fb

SHA1
80e7609e15b6ff705a8b8e78b324afe5129e1a58

SHA256
4c3f478c740fbe4ac3cb76416f4512f1e9414b4a030c09cec93618790c765bbc

SHA512
689c60ad12f495eb07f0576bfe5905a38206d41c37add74634184653c80cbf9de2e39c57c84986d3a041bbf7398da8f2a49bbf92a9104d72e668be35fd033783

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
136B

MD5
955e8a6805f17972d80b885abc0fccf4

SHA1
761190b76e7b39fa5fd2ed9e6aee012e3f9db171

SHA256
185e3c14e53ed02a8d135c490eb8c22bb496f9f39aa351914895ff114df03f05

SHA512
74992f0188966fe91f6a134f2cbb9d3bf752bb5afbc5b137fcb1eb66693a80d18946837aade1c14569cd3f42ef72686939201f55fcac04fcef987d194fb7c47e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000007

Filesize
50B

MD5
1be22f40a06c4e7348f4e7eaf40634a9

SHA1
8205ec74cd32ef63b1cc274181a74b95eedf86df

SHA256
45a28788cde0d2a0232d19c391eae45777fe640790ac0674d6daa5672c444691

SHA512
b8f6f42d375e3ad8015d744fa2814994fa6e588b41cce0131fca48194dd40146b08169a8ce0da350525ff32a59a16edb503c72e0f07254955c82a0d38074856e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
136B

MD5
0926df9c0757ba51190e7edde2498a45

SHA1
13480dbdf82e1ae4b52abbad76faa4392ef72a31

SHA256
acaee310f7591b913e7b392631491845bcef51e4d72f389927598701c9f953bd

SHA512
2f21c5f08e2e9df961e2ecb6fd0bcd620a5f3a5d2742d5bc9d7fc81ff3cd57c1c45c68ac8ca9830d2025afc97fae93b7bd38d48a5949f1e2400a189eaf32f251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000006

Filesize
50B

MD5
78c55e45e9d1dc2e44283cf45c66728a

SHA1
88e234d9f7a513c4806845ce5c07e0016cf13352

SHA256
7b69a2bee12703825dc20e7d07292125180b86685d2d1b9fd097df76fc6791ec

SHA512
f2ad4594024871286b98a94223b8e7155c7934ef4ebb55f25a4a485a059f75b572d21bc96e9b48ed394be8a41fe0208f7bfb6e28a79d75640c5b684f0c848fe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f11fcd22608dd518f6d3420736effcb6

SHA1
31de70e00c51b020431f0d5bcf1402ed7c49804d

SHA256
87716a20ee3be7e27cc0bf94ef8385d821fa4b8f9097f620d68e9788fb2c4523

SHA512
7b0119b034bbd80a3d87df546ec4d10eaa0155b446f22c9a196c23ceaaeeeb3049c25e5923169224d2a0adeb7fbf42931424955c51e58beb4fde993c4d3fe234

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
73dd5ed172a0946f5045c831d347a075

SHA1
44a648044951363c8c1dccbfafa24f9558276263

SHA256
471d8acbab930d024127e7db14c0552b8c8ef096732ad485368e212fe29072cd

SHA512
92a12b8b01cb743fdfe10bba19bccd13cd2bd0cd99bc5725b959282ac0a6c0a9778f928d91c1a29575b8c7294a4a9949bd32419e9ed13d6b632bde8395ddb148

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000009.log

Filesize
38B

MD5
e9c694b34731bf91073cf432768a9c44

SHA1
861f5a99ad9ef017106ca6826efe42413cda1a0e

SHA256
01c766e2c0228436212045fa98d970a0ad1f1f73abaa6a26e97c6639a4950d85

SHA512
2a359571c4326559459c881cba4ff4fa9f312f6a7c2955b120b907430b700ea6fd42a48fbb3cc9f0ca2950d114df036d1bb3b0618d137a36ebaaa17092fe5f01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
247B

MD5
dca5959ddbb847ec5d1cf19450eea2f4

SHA1
3265cd0f8d3ff9a3cc2ad483ff4ca45e7da99ffb

SHA256
f4aa8ae771c2451ea3e39b55e759cd28d0a4bf0d0be23c846a1b5e6b1a03cc8b

SHA512
df557168dd520d4f069dd167528a02715c0e1865765cbb8fa73f7ab6712bee486cb7f78d15c94175693dc7b4e22163962e95b20eba107c7fc046dcea54f7548f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000007

Filesize
90B

MD5
b6d5d86412551e2d21c97af6f00d20c3

SHA1
543302ae0c758954e222399987bb5e364be89029

SHA256
e0b2fdc217d9c571a35f41c21ed2596309f3f00a7297a8d1ded05f54f0e68191

SHA512
5b56ae73a61add9e26f77d95c9b823f82a7fcdc75eed64b388fb4967f5c6c42cb0796b0b99dc25c89f38952786176c10d173dec7862a8a5ce5f820280f72d665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13366731577238000

Filesize
1KB

MD5
1e21ab35171db3ccc88ac8de0e912e44

SHA1
73da13d5daf908b589688408d7023de88339433d

SHA256
d30f7bc4b32d301eb80ee3f65adebe8ab7ad79a0b92efb6bf655d2c8d1e1bcfe

SHA512
37c1328a3b0b86a0fbad6c730de33cffb3485d66847437fceb437342f14e5cd1c9dc36c05e4436c9b20d85086c9d2509a5746e2723a344f9b3d8d92883ed762a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
136B

MD5
85c6bb0028f67e8b8f8d71517fd78b53

SHA1
5c00f4a8b9e852978406c866ea22ef59d15ddac8

SHA256
bcb39a6fb470f606c6c43774e4747b78710c60522534bb994a1d8ff5531a794e

SHA512
693814195df0f7de2ae1ee52d10450cb8d02acff88af5d1c9e0e50febf5e875a8d868912b466fefdc8a1ebf0ad32bd9c4d4483946a1d2f948cd5fd4278614840

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007

Filesize
107B

MD5
22b937965712bdbc90f3c4e5cd2a8950

SHA1
25a5df32156e12134996410c5f7d9e59b1d6c155

SHA256
cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb

SHA512
931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb

Filesize
1KB

MD5
98e7c09432333799a751e87c6d53bc99

SHA1
112e53d9ee5802d72a4c435bead7012682d08915

SHA256
93d7827e9e2e979bf606146b41bbc16f5eb91b6bd31ce1994e52ac26c254d847

SHA512
0751373b3b366acf41c7f644b5a6f8aefe5e69f25b6ca46f8ceab2f7dd3c2ef6ddada395dc909638bfeed91853e50c68868cc63eb72b4e2d7a071c1bdae55af3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
250B

MD5
b4211804da950fea551ed322e4cb94db

SHA1
da506e21699d8880ac61743eb2edec8e9db1041a

SHA256
e9b4cedb695f73ec09a6cd55c23c3e1cc745ca2cd143260d9ad372a3e9f07ffd

SHA512
f5780e1967ca836e15eb73173244cf2281c1a3782430e9353c930681d237624651ccaef509d5e4ffd40ca90bd75b18f819696f1547d89cbe47557b3077f2687e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007

Filesize
250B

MD5
17955c6a1bfe62d0dc5fef82ef990a13

SHA1
c4bc3f9ccf3fa9626c9279ecb1a4cbfbf4a0fcf5

SHA256
1cba135964cd409db09911c7cd4699112622596ff633cea868a83c54088c03a7

SHA512
5fb73bb4f7eb1c9e26f34e5d0f310783c7e629e717760ee38731a52a8e3fba6831d77abf0f37631fed820839a00c9242a582e59266de08d3c92c5c4f83c8e7a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000008.ldb

Filesize
485B

MD5
5b1dc7019b7b8e74c422530a9579384e

SHA1
c37c3275f78e2768d866555f0395ddb20f32e1b4

SHA256
ee1d16dd35241b1f4517d53911ae39090ffe5a91fd2045e65c29591d01e477df

SHA512
a7e020a6206c469b65d444b41b99f7b97064330e02cda88ba5af5d10dc66a2c826d8e6b0e88d9d1939956d93181a69ab7b705acdab4032d172caa43c5a23b8e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000009.log

Filesize
19B

MD5
a2f36fd75efcba856d1371d330ed4751

SHA1
fb7c3dff0fa2b47c6f0026287d12d16d05d14d8b

SHA256
561fe33b81dac187686e9e50103590f3a857f4e1b9c8ada714d43964b938ea7f

SHA512
79ca96560a074fa678cfdc06007d0e1e01718831d18c4a800c5361b8ba8091b46acada47418a8d7be3b626d2d9af5cf346abcdd88166a9d1634f81157ab1ad6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
249B

MD5
10f6177f1d91bcf227f4e605fd069045

SHA1
5fe60116b1f1e9c657ea5379b6d6ce42e15de2dd

SHA256
613ec0170f6ee8c9b65ab51280c04fde7c8deb9d50616d1666d3d0d8aeae1147

SHA512
c88085f9639ae4d4f452cc3dadb61a8572f6716693d0e0d63180d6b60b3ea6ba8d94ded6bde767a70834d23b2dd9b7e222fe53aa3cbe4dd64c18cfc1d74f601a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000007

Filesize
98B

MD5
cce6d9e0a2fca760e3a7904fca2fa80b

SHA1
b637051510893c6688ef301bd59532f3255b3a01

SHA256
7833d6eb2a94306bd3d04cf593243cda062e5deb67528a767a43f42d8a12e159

SHA512
17740ac23a35c466429bd338214cff75d51321a95eac7785e3ff2b5597a1d6cc01a52bdfbd4143b0510affd86b4a892a6f0d337d057ee464d788abd8a4b7b2f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000008.ldb

Filesize
318B

MD5
ee979b6741a4ab9344ade8e8a5ba7041

SHA1
d9727ac1785b5dd231ffa2646cf64376fc7d9f17

SHA256
3a96430102f631d13e948b8ef571bc338c09bc245e5bebea2ef148b37f62b7e6

SHA512
78304ca9f8d96c011dbad85f4f529c9c74fd104557d1aed1ff87779d0c56831b313a2cf6cc8f8f73f5d96a7e362c412a4c602d289fb296c25986401486753400

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000009.log

Filesize
34B

MD5
fe62c64b5b3d092170445d5f5230524e

SHA1
0e27b930da78fce26933c18129430816827b66d3

SHA256
1e1a9ca70503efd8c607f9bc7131f08aba0476d75f2586dadb4da5485a5315d4

SHA512
924daccfbfb0c0464b4c5fd769e01a8f2e96fe28b635aa27ab4cd91766b05b03bbf941af14c017436107673f01bad815ce1fac2a649e745c76b3c736994b4fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
249B

MD5
72cb44b8904d2be1722c9cafcbfef9bc

SHA1
4d473126001b414cd3e1d12d98617fe958ee6675

SHA256
04d69ed4d404d1916e23c99b5d47ed2595fe0f285cf5553f32c1cf7e5b2d8955

SHA512
db071229e61ad7d4b4a3de570b8c6d29be009895a5ab4cd2b335bae6e0d7ff2bb8c5f1701640d36883d54c486c0cfeb0b96de27f807fc223155cab64cdb472ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007

Filesize
118B

MD5
d5842b6fb90a67708c353f0f3a33be85

SHA1
48a9e06c9bcf2791ac6376622d6dea179689255e

SHA256
c63523f14d423eee3b43947283056d5219edd0c63318007b1b876e24ab101d03

SHA512
1a5f288211bfdceedc802fe9de9cda4596d3db06222a742600a67262671f5084feb4ac797d39a10c02854590f680d47df39cd81bd41312a0807db597beabbaec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
311KB

MD5
f575dde29752fc8f1f75de157c1b4663

SHA1
3d54f504e5f28aa48a96fc3d748ef7d43561bb46

SHA256
784001a99bb53204aa18f9ff0617d4b04646b046f17dad76edb70408966486be

SHA512
9ba3459a495d33c3b51e3b596207b45c2866f01ab43003651112faabd0416adf4526029b19f14475c2e4fa8948b6cca7ee56fbadae4ee2077cdd17f350b52077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt

Filesize
4B

MD5
709b805f80091c902e4985312f4b0646

SHA1
e63b78f9fe2171571cc81355825bd13ec5f39d00

SHA256
367f4246b9ddd0060c0bf6c3b9892b7cb2d6ae948c025668f2cab71db7452427

SHA512
bf7fb9df0f431022eb52ff21acdf58ec9eb463045161bdea8c2058affcd8e02e7bfbaadb43ad1a9c42cfa642324df50873d0f09f04b22d248309e1706a44ad72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc

Filesize
1.1MB

MD5
abc3f7a6aca8613cc37c4eb3566438bf

SHA1
90a086a543fcec620069ae052f03c385186ef817

SHA256
ce23a4bd7a26123158c4d474b0ec4c2cc4eb00b156dd76cf9fc29a70712dab14

SHA512
9d445a20654c5f6db2776573f1a0a8aa4b25303e51e15f017253ce5ec07c0b3b3f38903502dfc3c38192ca7515bb0deafcf396caf3d76893dfacc955f64d4717

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
7b4e8073bb87168166903bb114a84f11

SHA1
3742bddb3e239ce6bc28e516c58a770d17182ad1

SHA256
c08ff822a249f9f86021a2a6e2ca92f523f51fa85e4e933c68704fb4a5afca60

SHA512
ef574d83d0893e45ac52810e3619892612a54d76096212c4a46d842fc69f7117cba4aa6a9b9919645ca5c1d1ea3c53f999d063ec83234b3fdff14eedb4dd81dc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\doomed\11179

Filesize
9KB

MD5
3d67f04f8529a1fecc3aebe3e75b72e7

SHA1
b4b63e855332e4170598ea2fd2887b1ac684e0ae

SHA256
c6a56aacc6904c70868888ce59f750fed2096958940d814faa4995524f198f1e

SHA512
f766b6fa015da788e5492aa604acab884971117a4e24a3183fec5d8a611eefe5b7efd812f376c9658aa9a3a31e4cf54481383f8336519089511c6df4f75ce680

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\doomed\12859

Filesize
47KB

MD5
c1e1d6ba4d090c333ac97033f999d0fe

SHA1
bfcc9ced2932767bd7be019dd16d0b879abce01a

SHA256
423ba7d47ec14f3e213baecff7469034dfe6e54593214104ee6365a265ab42b3

SHA512
23350a2de6a7e1bef0355f425de9366fb5d54bbdfb21a119751ea1322487f3c0ce7d5ff2d8ffaf2931233b4e2cb7a0ca0d7bf3d260e226d98f74289edcd828a6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\BA4CA3A32A0AB365A9EF8564FC67AC4461845518

Filesize
68KB

MD5
54a110472908be336a1f0635912b7c66

SHA1
c2dad908e670bf7c524cb220e0881d1372ae533d

SHA256
5153bf19ec5aeb5f02b7bb392c31409d9ce91e82c4f8805fcff49ab3ded1cb6f

SHA512
0f4cfdb35b194141932578bcbddb747c55432fcef5f29b417a11644c5fcdd3ae7ee1170643ca4cebf4b1ead96f038f5b6f6257c8d179e458a198ec5c651ef93c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\BB67B3449309EC6617C64DE8F83571ECD8DE14D3

Filesize
38KB

MD5
8717c860d643434aedcc36fdea644a76

SHA1
a426ef55684591768a354b6fe4438bfae1bd46d5

SHA256
7247b0fb0aacfcc8f17f414be70d0e40e7d52e7e352930ff41dd77fcd963c1af

SHA512
6e7aa97c11ecdc006219e844abd0bb5b188854c3342d843ce7e95acbddd3807ca24978a4fd11bab0c7c7fe5f399886b160d378e3a4f7e8897135741d3d2cd4b3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\BF0923D6C9AC3F4148AB74C98E937ACD57DCEAD3

Filesize
50KB

MD5
5c52f8574b19a6a3d48917f37c053fc3

SHA1
73aecc17e50d99f063195709d1c6833ec5cb3c94

SHA256
94a06a336a958651b83a55686e1e6e14e0987eb8beca66102be2621e13831862

SHA512
c059fccab894da44f0a6578bca8b4df91702c25fdfba1caa21ccee0885bfa25dcb2fb3a62ea7b00845baf73dfa4efa9cffe6fe6c981668c798cbacb58e245448

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\FC16C75B5606BF2DD15822549DB47B518E844CBC

Filesize
52KB

MD5
d6f97e2f8471b2223ab826774a07e37d

SHA1
c4d44b437148c8ade47611d7b17484048ae8a1b2

SHA256
4a1152d833abe02569f5858abc50968160d9f6843a45b6ed1e8a68a1b0bd3b5e

SHA512
2a4c47ee957e0789ecf152fe0c3e35444a0bf2e164ca3607f65bd78c97106c39213624dbb0fe610aa5ec1e54bca4a14369cc4edca34ff49a9bee53472876b00a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
0989e3bebaed03f9cb2d5d3bddcd72d8

SHA1
c061db43a3b769aec6af75cd84969f19dc1273c7

SHA256
6ea2e56c58fe6cc0bc1a2e15311f4ccbe68b89fb232e46ea6e4bbbb454caf382

SHA512
3fd689f33140bbb72f693399bbffa40b69cff6367130680fadcbb63709a16ba0d6eaf65f81ebc06fed5267b43cfc844e5c4698c70d7ee8dce2612b1de8371666

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
348B

MD5
2ccb45736f2afc9703a7ec37f402960a

SHA1
9d1af1eb3a7b96634d61b763098aa177b720d130

SHA256
0542cfa39871770a37d1961bd2b5591676ec4115c8a97fcdc0780da57e0ab675

SHA512
37112aee58379ad4efe0fc004d29c407386b169aa85b03c52fdd3117050e280ca3eb158cdaf24c0a3918f56574c01d5aaa5e45fa57ea6f16a6ebd4b5f0dc8fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
a6eb7b572a59a9bc26ac52c742f16da1

SHA1
63b28e13546b1711f0010d5aba0741eb5d8d524a

SHA256
456f7a19ea9237de143fd3e6fdd6ee95c1c9a3f6bd55cbd2badd42d2b9b36945

SHA512
ea7d1a950f8636e7c349d438635a211a660c3c5e71667a65f045009ebeac0364bb399ef046927c9d7d973637b987a05209c25254ed8e63287e76ea11e6e93623

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
3e27424df4f7d5955a1c4e3fe56a6c06

SHA1
bab84ec4cbddcede7d6c39da54b972fba2ab0adb

SHA256
b387a0b5c6022bd6162461f11019b66fe81353da1dd866ff20fd8b2b5e228cae

SHA512
8e997f0d98b0db07d6ed58ee8dba08f2495970887c4fbed58950dde10b4c1553528274b310aefd09dd10c8847f5437d1ff5efb863428f6c84b5758ab8d588d1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\db\data.safe.bin

Filesize
10KB

MD5
cc1ef1270854d7b8dc4c9fd223552a5e

SHA1
0a8bed7af73502ee393e9e532aeb58e4688b2c6c

SHA256
566685af946ed34eefcbe998cae4e231141b90e997474f38734823d4044cc913

SHA512
bfb60c4be88be3749c04a4cab045f63234e9e03a6bdd242c74c2c2b474602d6cf099df203fd8e99ae425a0e503f84d651ebd222da9e0ff3f18ee32f028989aff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\5ce812d0-d3a9-40c0-b417-a4d2c6a19233

Filesize
745B

MD5
103c391cd9dc533968cc6c85b33d560b

SHA1
b0bd617404bed1608ceb8646abdf578b221c52ab

SHA256
3748f8dd7294070578858c71fdf60b604b7b95a6dcf1da490513890b885534e0

SHA512
ef87064d582def0032d263672590547e137202e284909f1b4d5b7997825fe6901fa3affc46094582331ea7475577e96b055036ec0d08d36c646245be40fc3f81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\ae54a16a-442f-4119-bbe2-59ce86e8d384

Filesize
11KB

MD5
bda882448e76e36c5a0b711637153610

SHA1
7562ab7688f758eec17fe341229f552bd3d49320

SHA256
8e11f687498f0f4609143756c5947c83aaa39b2439abad1f5e9a50eaa3f50f8d

SHA512
05ec248dc2e21d89771e9bf18cef4064b6a73f87e4b6bd2836a5315407881314c055300e207c2309654042dd4c289901a3cf8e15954c6022f09dd94f51b06ebb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\dd3ef9ae-eb3b-4e60-a60e-94bb82944733

Filesize
656B

MD5
a8993c65fd0fe870e6f7a27169026530

SHA1
0e29df58bf7318b4ba289171c1bbf9f9e65388f3

SHA256
5a6fce24bbbe7c108286ff25cd8fa0f55750ce723a02126b22624b07a17a5e1d

SHA512
4ef5e67f81d7d875c8deb9f19bd5d2563ae603dfd5ad77777b211cf81fa3b2af309c8be4919e77eeebf74f10c8b12a5c9f57dbf0f70360522d66c1a82b728850

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

Filesize
6KB

MD5
e9ba2db450d85237e24c2f15e3575d83

SHA1
5c566d6a1847ac93215b0246cc12fc3e2f74b807

SHA256
c9fa3178c51982475366ed40b0813c640f9742311c38ba34a6b90403b87796ee

SHA512
f653befe312952032c0731af2dc20e04aa4d23c8c22a352a84c66f4f92022bf6ba186b7a2ca2c27a17dbc17d3a735f1d36bfacd4c38b98d1090e8e9fcf7d5835

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

Filesize
6KB

MD5
78f52bfdc53788c42848bdd1f6ce4c31

SHA1
5828e35d87f4921c80788412230d6d21160891da

SHA256
74934e990982896a40f50e956d020f3db59bdc0629c788138239f48c2a1d3f80

SHA512
1820aec130410ac0a687bc8eac4e235281bba9b5d747d33e517fd711839d52a52c1d45556bd5de137116ba55e7618996d7bb0e7d90411f6724c353a3dc407e8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

Filesize
6KB

MD5
df2a1aa3fe7b49ec3ad8819c8314900a

SHA1
1b7433689a63762016917eb49087de6b6dbe2e8c

SHA256
5d2c0a6debd5459b18a19eda52f6d0323dfd9415be8f824d0456fb1aa00e5432

SHA512
7238e849ab580a6f81cb63dc17e1d6e770bc08d5f7b1c89736a315aee0fb53357a08b98ed732c15ebae11587ab698992199c80128e3e9caf734f4e30e2412d1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

Filesize
6KB

MD5
87307f19b4c4b739d0afcf4aeaa817d5

SHA1
216119168cb237c7e57c181865afa6003b2c4acc

SHA256
074f1f0eb0bf2f6253c3987c4d6b89b0b903dabc6821c07083601b187e173a3b

SHA512
019788d538e881db8ff9832a95da4199129dba51d095c1a8d729e52ec209e55dd0e54822ef0a760fddc12a43dc7af420b33d8fd24c4abddd8cbf424b7ddf8c45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js

Filesize
6KB

MD5
43232df2999f07a706d2bdbea35eebba

SHA1
1627663f427cb8a377d52fcb84d0c6cfb6d075bf

SHA256
aa7a6a85a556b8897c71d786bcfa199e6f4f99d379b8647422aa16e7cdc728ad

SHA512
78deddb480a45212884b6dee239f40197104eb182c1c96c6274b3ce233478726bf087083524f18b2f2a91966b0df549cc22a2148217bc619ae05a88a0e8f0f55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js

Filesize
6KB

MD5
fb9368b11f3db8ef63641ebf30c87aea

SHA1
cf0ff837130d4992c0d83cbf51797205a828caa8

SHA256
226e2cee145f98919b89df71d0ff462871fab38f4f1770997ddba4f3c8c7d03f

SHA512
84ae17aca3d05b71ceeee7981b5429794c52bd99e393f2e52100fd8a99445506e3bba3d058926dfd13187fdb60d42394d539810b1ac684e566688ab9bac71d8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionCheckpoints.json

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionCheckpoints.json.tmp

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
ee71f45e9bad26fe6880693d72653f24

SHA1
c917ffd08ddd246d52f8a2300f92b74a06cd2546

SHA256
99d43a92c17a7c27fee2db0f4978c6f9a84ac50b13254cd9340847ec123960ba

SHA512
8074ebb813083330da7454c7fe33c80e0484823e691defefde1b1b54d6bca9059a20a925edd994d54613a3668e72cc6ac8550e637daf6d0feb1b3db71870f985

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
424c37536fef46a94e7de04e79c4f013

SHA1
93dacd3065f71d6d494809194ece4f021108886c

SHA256
e19d126b7cfbe25faf35bea81fa3ce5562e6d5e33d38f2024efdfd2f472f5297

SHA512
8ecf5c89ae3a058bca5b48f228a3700099ca9b3e0fe3cfb239e4b0f9929e49275592fac8d90fd27951e75b64cce96e3f83e4a704ccbd555ee24831d94c97d1e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
b95d5c27c97fb554956779d966f65e51

SHA1
de2c984dd0a3e97f959184d09f66d6248e5cd4b4

SHA256
41db11568c21779180f369a6180a751c89afd85242d8297b4a29e7ff7d0268e0

SHA512
4b9131ea093cc95df0778cf7758906f7cba30320ecc53624499236022a23e3379ae37877ea005fdaf394988a496805e335f18abc5d32832207c87bdfbd5b4b80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
360f391efeb7508dc08b521b9cd62f79

SHA1
653d84514840b9c9aa9d7a55670ec7e05e2d59d1

SHA256
2e359cc7b900bf463e3e09786fb515d0eccb8cfad0575b3d657d836a4359b83d

SHA512
15a8788341ae1fadb9f2d8f4e05662b4d83f1f1d7d1b98c2003a5f451b7efddc58cf985fc530cfd743e015334d2e5fd550475a3da7d1d1e728a72935e849e9c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
322c617b6b7c5cc00ca663b1e5f8b6ee

SHA1
a790388a723261613f6ed15c35ac88ead1eb4622

SHA256
de7a57f3b4d83711dfceb92071b618eb0a92def6fcc352015e8c7d60269cec3b

SHA512
7fac21fea7f3224fece7cc9e37e5ddc57da485853a3d3eefa7f55d801c68ba3670cc8184839532039ae6f8575aefa115505b04a01153c8b0442e5eba27244848

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
dbcfc4c7963b5f876206428808b5b2ca

SHA1
8aebba86cf2375e56d3217c50a99c3391b885c75

SHA256
6c2e8312d6d7e0f3c2ec223705dea1ddfe4536542b26dbe56f7d67de7d9f6a2b

SHA512
7201165a96f31c169a1b7b3bdf1608f2b86d24f96770d4d0c4d08b0b23c38f896942eb26ca605b3a94e19e42c04d840a79ca6843a89ed195d6ba06d409fbe1cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
5c6864267257cfe0512eecf696843539

SHA1
bc997377426e5a0ae6a52a02e06cf3514d6c9809

SHA256
98335d657b9f4be33bc992fd220787258a522d3b95c82ca428ab96ca1458cc68

SHA512
9e8748934ae4e57010676814d004b837186fd14bd1fd502cd1a304b0d9cff0d7c4316ee0d1d75c6787e76f2875d77ea17890d5e2e74f8e06d75e856737f20efd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
dff8c2b6a2e826b0e6af78caaa62e03c

SHA1
26e82a94b37605ac3fa5362348f0aab74e438d33

SHA256
471bd6a9f3f8ace8483b54e62aa6e0f5cbc6f0ee5fefc8fb0c70d8547a790d14

SHA512
0d23799a341a8f9ead5efda8cc611b55401660e9eeff042e73f4924d09452a5638ec29e20f23fab2e815a61963714fdf413a3e20fd7f734bdc7f62ef0a89d427

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore.jsonlz4

Filesize
8KB

MD5
610b52831b4349c61d3bdf83bf9d1a65

SHA1
d3a613933545b078a9408ba8de0f7365b6d47d46

SHA256
d2abe93bb595f614567b977be611d65883e424a6676b47405917891596a3de78

SHA512
26372cac8a85305999d91d01105cd0a176120fd41868e1e9c0caeb61c5634961420744d25fd9a41646d5123dff6272a7bd1d5b740b74cf802df550f153c78f90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore.jsonlz4

Filesize
839B

MD5
18b08243e552a29d8301cf1435fa8de8

SHA1
59879db96c27b34d09f5db405b5e5372a9d52dfa

SHA256
7c811e5a58e990f98ecfb1d2879b06b2dd8f60c545b104f9d17869b2b6da4ec6

SHA512
532fba3af333419a215de3bc129b1b902d8688507a0119a9ea988eda480ecbc0784a664708ecb5f773268648b83168885dc5a5fd0ac378fcec5787008dc9bf17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
7e1a89da00038cc46c62096dcdd1d0cf

SHA1
b02913641909b9910473d6d833b54286cbcad636

SHA256
f253cc4b5069da8238b7c9aed49c248b0025b8d8dd0d72650fc49d45397cf9a7

SHA512
3976a5128109a70183f368a5fbc572bf7151b58cd3c725807fe345331c8e20ca8b16c9deff75b53bd24d20e710c874a765db1634fa2f18b2716134506466094c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\xulstore.json

Filesize
120B

MD5
05e1ddb4298be4c948c3ae839859c3e9

SHA1
ea9195602eeed8d06644026809e07b3ad29335e5

SHA256
1c2c5d5211674c3c8473e0589085499471399e53e9a85d7dd3b075fef6cbb6be

SHA512
3177b48cd0c877821419d7e5eb247a4c899bc37258994f22257ceaafefb316e6f5959faae02e380e432d7752f0218d45d56d6878c1e751d201d9fdb3ff98612e

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
4.7MB

MD5
93aaccaa2249dd80fa247de4a483669e

SHA1
52faf4fdd2235a1a2fb65bab719633b689ee210d

SHA256
2b7a35e476c35d0788249a09b740575c93f5dacfca03ae7290942b5807a66631

SHA512
19e7a9d470ec170e0eb439c50f878d3ef076d87f8909cdff10bb846b051d10799917bffb91353191c68abc8ba0515ccb3191f0f43a026894ed6b6c1869f3cc74

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
81B

MD5
65a33f66ae0a5f7ffe3a3275e1cef175

SHA1
2cbbf3cb830bd29da9ade90c85b8910c2a4e7334

SHA256
30616b44ae36565cd9c6635f2f3b9ae3bcbe4fba42958c5c3e7533edc76ad5c2

SHA512
f9d2c5fbbdef87141ef726ba79229f88769a51905dc278781e0b6e8c4560e682e4879dc968c194a9cb217f540bb754cc4d74856c48fdabb3c0f7779709fec794

Download Submit
C:\Users\Admin\Desktop\165091722258356.bat

Filesize
318B

MD5
b741d0951bc2d29318d75208913ea377

SHA1
a13de54ccfbd4ea29d9f78b86615b028bd50d0a5

SHA256
595dc1b7a6f1d7933c2d142d773e445dbc7b1a2089243b51193bc7f730b1c8df

SHA512
bf7b44ba7f0cfe093b24f26b288b715c0f0910fa7dc5f318edfc5c4fdc8c9b8a3b6ced5b61672ecfa9820ffd054b5bc2650ae0812804d2b3fc901aa06dd3ca14

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Desktop\~$gisterUnlock.rtf

Filesize
162B

MD5
3c477c50f937e5c2e3fb53e2bb6e1df1

SHA1
caab5d4237df141615ae7acec9e2b3e1eee60a07

SHA256
c3324fd3119dac8dd45d4b9ecede1eb26442f75d0113c98eefb4a3b4b2e09ced

SHA512
d8b093c74ebcf2dc7dbd010bafcf42dd2e269ba53dc3881b7abd6ff35911bcfc274da3808234effe36cfbec3319422639a297bc6fb73690d17114c2a1c284d8d

Download Submit
C:\Users\Admin\Desktop\~$gisterUnlock.rtf

Filesize
162B

MD5
a5a545ab1d481c177a7f26cfc80ee14c

SHA1
abdbd68d289e532464dc5888e608032603365ffa

SHA256
e31d2b68eb20cb5627db473545054e682434e01198e32def51fd784cc315f98a

SHA512
f8f2c0b330b0cfc9725a047e18ad64137fcc33cf74c687c33c5a4056dc50347e519695ffe414478a131afe5b641c80c2432e23bbe53fc18c9c97f705bf520123

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/380-367-0x0000000001B30000-0x0000000001B40000-memory.dmp

Filesize
64KB

Download
memory/380-351-0x0000000001A30000-0x0000000001A40000-memory.dmp

Filesize
64KB

Download
memory/2116-33-0x000007FEF5730000-0x000007FEF5741000-memory.dmp

Filesize
68KB

Download
memory/2116-24-0x000007FEFA1A0000-0x000007FEFA1B1000-memory.dmp

Filesize
68KB

Download
memory/2116-34-0x000007FEF5710000-0x000007FEF5721000-memory.dmp

Filesize
68KB

Download
memory/2116-36-0x000007FEF45F0000-0x000007FEF4601000-memory.dmp

Filesize
68KB

Download
memory/2116-37-0x000007FEF45D0000-0x000007FEF45E8000-memory.dmp

Filesize
96KB

Download
memory/2116-38-0x000007FEF45A0000-0x000007FEF45D0000-memory.dmp

Filesize
192KB

Download
memory/2116-32-0x000007FEF6420000-0x000007FEF6431000-memory.dmp

Filesize
68KB

Download
memory/2116-31-0x000007FEF71D0000-0x000007FEF71E8000-memory.dmp

Filesize
96KB

Download
memory/2116-30-0x000007FEF5750000-0x000007FEF5771000-memory.dmp

Filesize
132KB

Download
memory/2116-39-0x000007FEF4530000-0x000007FEF4597000-memory.dmp

Filesize
412KB

Download
memory/2116-40-0x000007FEF44B0000-0x000007FEF452C000-memory.dmp

Filesize
496KB

Download
memory/2116-27-0x000007FEF4610000-0x000007FEF56C0000-memory.dmp

Filesize
16.7MB

Download
memory/2116-41-0x000007FEF4490000-0x000007FEF44A1000-memory.dmp

Filesize
68KB

Download
memory/2116-29-0x000007FEF71F0000-0x000007FEF7231000-memory.dmp

Filesize
260KB

Download
memory/2116-42-0x000007FEF4430000-0x000007FEF448C000-memory.dmp

Filesize
368KB

Download
memory/2116-43-0x000007FEF43D0000-0x000007FEF4427000-memory.dmp

Filesize
348KB

Download
memory/2116-28-0x000007FEF5780000-0x000007FEF598B000-memory.dmp

Filesize
2.0MB

Download
memory/2116-26-0x000007FEF7320000-0x000007FEF7331000-memory.dmp

Filesize
68KB

Download
memory/2116-25-0x000007FEFA180000-0x000007FEFA19D000-memory.dmp

Filesize
116KB

Download
memory/2116-35-0x000007FEF56F0000-0x000007FEF570B000-memory.dmp

Filesize
108KB

Download
memory/2116-19-0x000007FEF5AC0000-0x000007FEF5D76000-memory.dmp

Filesize
2.7MB

Download
memory/2116-44-0x000007FEF43A0000-0x000007FEF43C8000-memory.dmp

Filesize
160KB

Download
memory/2116-45-0x000007FEF4370000-0x000007FEF4394000-memory.dmp

Filesize
144KB

Download
memory/2116-23-0x000007FEFA1C0000-0x000007FEFA1D7000-memory.dmp

Filesize
92KB

Download
memory/2116-46-0x000007FEF4350000-0x000007FEF4368000-memory.dmp

Filesize
96KB

Download
memory/2116-47-0x000007FEF4320000-0x000007FEF4343000-memory.dmp

Filesize
140KB

Download
memory/2116-22-0x000007FEFA3A0000-0x000007FEFA3B1000-memory.dmp

Filesize
68KB

Download
memory/2116-48-0x000007FEF4300000-0x000007FEF4311000-memory.dmp

Filesize
68KB

Download
memory/2116-49-0x000007FEF3700000-0x000007FEF3711000-memory.dmp

Filesize
68KB

Download
memory/2116-20-0x000007FEFA8D0000-0x000007FEFA8E8000-memory.dmp

Filesize
96KB

Download
memory/2116-21-0x000007FEFA3C0000-0x000007FEFA3D7000-memory.dmp

Filesize
92KB

Download
memory/2116-63-0x000007FEF5AC0000-0x000007FEF5D76000-memory.dmp

Filesize
2.7MB

Download
memory/2116-18-0x000007FEFA5E0000-0x000007FEFA614000-memory.dmp

Filesize
208KB

Download
memory/2116-64-0x000007FEF4610000-0x000007FEF56C0000-memory.dmp

Filesize
16.7MB

Download
memory/2116-62-0x000007FEFA5E0000-0x000007FEFA614000-memory.dmp

Filesize
208KB

Download
memory/2116-17-0x000000013F2F0000-0x000000013F3E8000-memory.dmp

Filesize
992KB

Download
memory/2116-61-0x000000013F2F0000-0x000000013F3E8000-memory.dmp

Filesize
992KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads