Analysis
-
max time kernel
340s -
max time network
338s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2024 16:19
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/kh4sh3i/Ransomware-Samples
Resource
win10v2004-20240709-en
General
-
Target
https://github.com/kh4sh3i/Ransomware-Samples
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___H4OGCN_.txt
cerber
http://p27dokhpz2n7nvgr.onion/9833-7228-2323-0446-9249
http://p27dokhpz2n7nvgr.12hygy.top/9833-7228-2323-0446-9249
http://p27dokhpz2n7nvgr.14ewqv.top/9833-7228-2323-0446-9249
http://p27dokhpz2n7nvgr.14vvrc.top/9833-7228-2323-0446-9249
http://p27dokhpz2n7nvgr.129p1t.top/9833-7228-2323-0446-9249
http://p27dokhpz2n7nvgr.1apgrn.top/9833-7228-2323-0446-9249
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___292GO_.hta
cerber
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (1117) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 3660 netsh.exe 2596 netsh.exe -
Drops startup file 1 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ cerber.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 40 IoCs
Processes:
cerber.exechrome.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word cerber.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook cerber.exe File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop cerber.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
cerber.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpE29B.bmp" cerber.exe -
Drops file in Program Files directory 20 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\program files (x86)\onenote cerber.exe File opened for modification \??\c:\program files (x86)\the bat! cerber.exe File opened for modification \??\c:\program files (x86)\word cerber.exe File opened for modification \??\c:\program files (x86)\ cerber.exe File opened for modification \??\c:\program files (x86)\bitcoin cerber.exe File opened for modification \??\c:\program files (x86)\excel cerber.exe File opened for modification \??\c:\program files (x86)\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook cerber.exe File opened for modification \??\c:\program files (x86)\outlook cerber.exe File opened for modification \??\c:\program files (x86)\steam cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\excel cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\office cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\word cerber.exe File opened for modification \??\c:\program files (x86)\powerpoint cerber.exe File opened for modification \??\c:\program files\ cerber.exe File opened for modification \??\c:\program files (x86)\office cerber.exe File opened for modification \??\c:\program files (x86)\thunderbird cerber.exe -
Drops file in Windows directory 64 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\ cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification C:\Windows\SysWOW64 cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word cerber.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
PING.EXEmshta.execerber.exenetsh.exemshta.exeNOTEPAD.EXEcmd.exetaskkill.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cerber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
msedge.exemsedge.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1056 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133668300118368869" chrome.exe -
Modifies registry class 3 IoCs
Processes:
chrome.execerber.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings cerber.exe Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 3 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEpid process 4048 NOTEPAD.EXE 5556 NOTEPAD.EXE 5876 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
chrome.exechrome.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeidentity_helper.exepid process 4452 chrome.exe 4452 chrome.exe 1432 chrome.exe 1432 chrome.exe 1432 chrome.exe 1432 chrome.exe 1620 msedge.exe 1620 msedge.exe 4404 msedge.exe 4404 msedge.exe 5744 identity_helper.exe 5744 identity_helper.exe 924 msedge.exe 924 msedge.exe 5964 msedge.exe 5964 msedge.exe 2352 identity_helper.exe 2352 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs
Processes:
chrome.exemsedge.exemsedge.exepid process 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe Token: SeShutdownPrivilege 4452 chrome.exe Token: SeCreatePagefilePrivilege 4452 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exepid process 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exemsedge.exemsedge.exepid process 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4452 chrome.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 4404 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 4404 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4452 wrote to memory of 3128 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 3128 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 2184 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1140 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1140 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe PID 4452 wrote to memory of 1164 4452 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/kh4sh3i/Ransomware-Samples1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdb758cc40,0x7ffdb758cc4c,0x7ffdb758cc582⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2008,i,11197527724589710722,5459349659886619607,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2004 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1824,i,11197527724589710722,5459349659886619607,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2108 /prefetch:32⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,11197527724589710722,5459349659886619607,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2208 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,11197527724589710722,5459349659886619607,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3164 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,11197527724589710722,5459349659886619607,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3192 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4916,i,11197527724589710722,5459349659886619607,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4516 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,11197527724589710722,5459349659886619607,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3128 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3116,i,11197527724589710722,5459349659886619607,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4900 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4360,i,11197527724589710722,5459349659886619607,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4740 /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___4AZ6_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___NQ76_.txt2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "cerber.exe"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdbf4e46f8,0x7ffdbf4e4708,0x7ffdbf4e47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6351507689245864056,11480027396429197543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\4bbc4bdb70c74bb7ab5d2a750e46c17c /t 4084 /p 42961⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___4AZ6_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___NQ76_.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\_R_E_A_D___T_H_I_S___NIR2K_.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbf4e46f8,0x7ffdbf4e4708,0x7ffdbf4e47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2576 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,1474031572044595786,12054030201804300262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Discovery
Network Service Discovery
1Browser Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Query Registry
1System Information Discovery
1Remote System Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsStateFilesize
649B
MD58e65a6884a65600a5d59dd372a5f19d1
SHA1651bb9d4257a159cd2d31cb98e7dea09796b34b3
SHA2568a168bbb0f75caac889cf80354214ff2c85c007e8910621ef6f75837c09d60cf
SHA512563662ef5d5f0a0f51ad169a01b65aaf60fdf1e348af5e2fca8037ddb5329896cd63c7787a04b818333f6b555a2cf80756d6da678074a5d7551814f72f705549
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD53ba2e0854521affc715b2e300a84dba6
SHA1aecd3b6c159de600de75f43ff1136f75ce7bb9a8
SHA256fa1027b384c94f83676b17b36d6565f98cafaf1e396f1e63698fb56910bd2235
SHA5129c4a995f10b9e2c0faff189ed18096a5f87d8a927d6ca1439b458626c1f329d6d9f3af6bceb7008f155e47a1e970d14897b8b6ae0ac7ea8a0465cf48265e48f8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5e911388188b15f17ce6e61c0b9abbba0
SHA177b7ce4dfd108d27305c43d1ad9520331f0bb059
SHA256c2e441d2d0347800e5fc791042154840ab2890ed78dcd6b01348d80c4638ef15
SHA5129a9ecad0e0613a2815fbf6e2ab8e4b74b88bc165201388e85aa432608ee29f49c4380f1011a40d111808d99940d939f839e977285a3931dbff80b5736695dc23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD502b3186dd4b29cc2ee42587dae36dbd7
SHA1b95095df8ca093cc04cb6c3e0685c61464df7e5e
SHA2560892e67387620fcd07aa71a5b3f8eac262710517c49692f9fa13ab6b74c23f30
SHA512f175e1c3d64cda74d32de9a383aac7fe6d788116c810499c65965de71dba52e89d433450f6de3f4fc1eea5fe9ce12d9465c86223813ce66eb3cc4f478368bd32
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5403e3d22d4546962673ffde88c8c63bc
SHA1c77ad8f4cdc08593a3db9ff85334317460e90cad
SHA2564a43c7249e552cc00edcc88826b0396f8d2261288aae190b13da61f8ed0e7782
SHA512bb7e98850982edbb7dfc26f35eddb5cd1bf1261c7ad7c69a346a4409dffa52abffa3624cb440504b7f244d33fe995fc36d1b2e463f97f3f4b4ca4ce8b773d5e9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5f5ce46ff7c337a672bdad04ceb8fa219
SHA1d9641fa39fd92a7c0cbf0f300cb3775e117e0cce
SHA256326dde2f0f6efad1f3d28708b856c115f2072b3b773a1c7def4f95667ffd6149
SHA512e4d50575958feacd5af54ba6368c35d8f66e781e688d3498ebecff2fae343ad75fce00da1f55800193f4de7fa809731a54f13392c1795e0a67973adb26554f69
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5a73713696478e1dc0ff6fa5d6cb3e4a9
SHA1039046bcdcfd7ea14f030528029e4afc55714699
SHA25634d338dd7360a4cfc7fdab24463135e716788f7e872918f061753c8673135bba
SHA5126a2d2944e755e382f0cc7b8cf5a04d30aa17fa0ef9df3f63dda0810735e8b0a8adf2ea749eb7c1b128a5726685b55b0869cf370ebd8f21d61d4933c0075acef2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5bad9b28162e64bd11889965dd04f19e6
SHA1c027833c02d22c5484a0097f791454862a73a4b5
SHA25672467505340aa57fa5a5e3e761a6f543302b9e1ae17134d83927da36ff9473f8
SHA5125bbbf3f488ebc556e508e05d7581920ffdb26f6cd213e9f505ef0a61deaaaefa1e50a79330a279296ae24cff1797ee804088cca187196f9760e6ca9bedfbb9bb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD57c87ecc1efd2ae6a33d363b91cbe5fa9
SHA1e81d64f3e6739773a1bfbc1fa7b7ff76a473df8a
SHA2569bc58c5ed3c17fba804e7bd4e45a3cbd6c6271e610f434db9b960d606c60687b
SHA5129739e8bc3dcca3932307fd08cd2785dfc5fe55b2d2000605d2e245d2f426be74e07fb867a94175cf082e310a6af8068649c822662903c098d6c930b88de2c3c7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD5a4021577414e24ab902ce74ac74b0f63
SHA1e23cddb8a9f91afb3555fbc9da7e6b284ce5d8e8
SHA2562f856b2ddb349078ba71ddab72d6b992a096298b800f74ddb28d056c572ad9bb
SHA51271e7982944853e9a906f5666990be55459467f57f1d97629662a589ff35e156e38f47490f51b0f0e17853f2d4ed1b58cbc1eea60ce7de899b4c7a5736a3dfaeb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD57a236243631acf1f11aa091d67cbc819
SHA1ee6404c099a96a38a508ca91287e192447d1bfdd
SHA256b353881523ac558fd2637e39b38b03102e4e2798bf3753271c5fdf84b864b010
SHA5125d99b4ec7518f27c9d904f51ea99c7f8c3e3bdf0e9f4db7466b1c6f83d8b242a6e5482955d1ea0cfb41bd869d972c02838d85b34aeca3c35c4081a663fa11145
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD59de5a6df4855f41e8849c0072d32f88e
SHA1978c568427aaca7b88074aa57442206728aa8206
SHA256482f8b5b665d3ec09aa176fe3358f6be1821e8fc6beb9345d0bd79a5ace7638c
SHA51220c485f1b518243d0599567a14d81302e40d5361ac78c7033dfcc8a1fdfcb38ca04f92915bf75d5e67d089dcb6441b80cf4ca3d0d6cdc4500b2b44d3d5072457
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD53b1659b28c8dca4555c2eb7cc66bbd58
SHA1914055b57a13b2b2eee7bfe1466c8b95d066f30c
SHA256f25e19cdd1458bbea755c8ffee2f1e6a75acb42755fd2234f3fde0afb10ee656
SHA5121db93e32c6d08060e32c5c1402ef8319d3007572ac3f64c49765fdc3a695c6ada03fa4a3c640e66393b071c481a8ed2a4789e63d3320141b1b7f9761f0240680
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD5cc5308464360d258e4b41cf10a9b48b4
SHA128e8f5e518396e9dbd7d421a3fa045887fbdf539
SHA2564b5f54777682e29b80c22b5573156d8576f097b645510a06faf72ce2b9415554
SHA51239174b67ff8906a2284e337ca66352261cd34a984d5c8ec66d0835d5bd9743265aa0c4592a382ee980e6682106c26e4c89fd0c0d7a304baf5f96bd211b345bfa
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD5a85491923067855349c2f5f6c1b86ccf
SHA11323c94493e5da1c740f41f111f6abbc0d4b6fb4
SHA2569930f39ad4b4b58c6c0e739adade3369deadffa038217c0c6cabcd6979ad9ca7
SHA512842c42415fdacd521bee216260155dcf66b05907f58c50c2e23a0b7408ed1251abed31cf61c8fa5a9d16743112d5f2306a712892eefc5a93ebb916bed8f63e23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD5cf1b19842ac38e46d4c6004ce8c3328b
SHA1959d84923894cbdfe70250e943b756d848120eeb
SHA2561cb62be1888dc759794cb077a02448817141d95a40c310f6b76f980d8e86a94a
SHA512a25a2112accffed05ec413e0b2593182902dd74e583b1da1669f8a688bafbe98caceeaff9ef85584962ed1a5b78b113ebf07b479271fa97a09829413991ed863
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD59438be15f0f2eecb42900a51e18c17d5
SHA11fa27d5db755a06b0a63165be94c70ae76a576ae
SHA25656de61fc7c5a1076d23214ac61711147eb616a27ae3c202a855ad99ad083a656
SHA512922a0d674c55ecc8ce4b6c67240c17effcd006444c02228e3d92abfdd393fd1e81711a4f1447edcf2cccbd103ae67c28e4a2b065448cf29b25c01a30924f8e58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD559b87b210c54728bfa7d4f907726b947
SHA100c382bd676a3ba7e1d2f6a792b6a145b0ed0be5
SHA256b00762ce79da7660fbdd4532bd70336f5423ba65a9e2d5494ab9396fc6692290
SHA512d634b5d940fcf5bda275275584dec1db9eee7ecd0636242064d11bc8bf287498779e4a83a510312dfcf1022454818bb9d4f9b3b0e6a9dca1bd71d980e3b9b489
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD55a060719eac2a9e268ad56d51315aa68
SHA15aaee12d3003eb4c55c9162d0b8a6fa629b5c8e9
SHA2565eacf290e8f3dd231ef871e0258e12f6374f1b2ac3e4a0d1b571f90786552485
SHA51285709dffa0242b1da6897725647f37c14b508673f59df14b9a128e577e92ead93bea363b76c2506a703200ec986165b00a3cf47eea513a2397d56fcc1dc06315
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD5cb44b937868a4123683eccc38b25abd2
SHA13baf03e37838e4c7e6e40304cc16030782c3dee0
SHA25611a750c95097d155c787f9a4f5893dbedfe12a6334cbe16f17e89973b5731f77
SHA512b844d535685a66dab99e1d37e8044c6a4daedcbc398bc156f4f372f0eb04bfaf97ee8c1d83636c9da72d37374d0364de1643b49e870a88d05c5a2a1d6a7fcfbe
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD53e8df1d11f97d24e188ec392e3f294c9
SHA105157a485e66284de7e856b8492d66c258ed9006
SHA256705a3c1b6fb68c5c741b5981eccbe731d7872558818ed016e4cf188f27554151
SHA512a248f27b810a61cdabf02c5ae6ba0f7879053de640966d44c925777cd1571bb8dc0920c782f2f3ccda1aab9432b1e99fdf1b62627e4c9331ee9815f984570093
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD565034dd01f98ce0664a8d46ddec3edaa
SHA1c6aef885bc1dd3eb6051cd27e53815186b76a7ef
SHA256197edaaa3098c293286618a4e5f8250c7f60fbe2caabd2fa7fb857bab01decce
SHA512f41429341e574e95b0c098cbee262c923b9c604518b1ddf651ed108ea18f912604f8d8c16d07e299f0d2ca72d0238c1e821200340d2d055c8e9b7b15f8c4febd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD50355c9196e11069ea83b09dc3e129fbb
SHA13c9f8c36f91dc629e8ca3c0d5288df923eb395dc
SHA256e7f3439ade9092b580a00ef398aa540e7711fbe7c8f04a65511f0efe69920227
SHA5124791de5cb29ac6fba559b551c3e73bfc1d1e3e4134d84d6271a7dc0ba1da937b2355e5feaab6a0c23700185fe78a6b2081439e6c767cbc6124ffbce4d21cbcb6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD5a5c2417848faf97eaa374eff97c602f5
SHA12d592a03684d870a3e1d45f7ecaa0bfc3815bae9
SHA25633f7a6274a655afa7fb300370e8379d4953e18157c2c678135153943b0356f68
SHA512f05923b8202e9e914a5d460ef05d88fce76f5683725fc5427e41bb4bcca98fe4225937a79a8caacc477d1e62a6fa9d5e799042c6734102485e31753c29d79dd6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD51f1dbcd043571b0ba47fe1c31e28ac8d
SHA18728f7191cad3653e08d812e78b40c023a61eff5
SHA2568524e68c7f2a9b354f1274adff72f2fe150e342df1c60c93c1666747f63e6afb
SHA512139d4ddeebfcf38c88f4c931b32a4e282a1e98f3cb03820911102d0b56fd18bbc9280b498fc694dbf1f15c38184a1e5ad3817424b7383358225b228c474456b8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD57047799281d41a986cec99ce3d32f5e9
SHA1a1fd58bcb00f7ebb60c79552f956d6781a24df0f
SHA256454ee44aeab83e0163a913c4ad086c5611e9306ce95a14a986caae217a638f72
SHA51244104877810a86aa2c52ffe3bdb34f1af775fd23c89ff4e02270e072f1dd5845382847db83c3fb17b50248d54514cc7fe5932fcce4c54ac4521a7655351e1d45
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD53a551c18ebd9e1e09a0a21d26de72232
SHA1c8be26683037727a2e4dd6fce4eea98f1057784f
SHA2566d20949511a6f3ffb38a18448fd91eda62f1f19c089671045833f25a71f8cef8
SHA51221783238b42c3743fac10e0d9e8fe78706a85a699ca62e494fac5b9a8c02574b3b7d78ef0d3f16be4421c7789408d9076908f86f293033feb250a0f61d3b89ee
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD5902d674e09757b201a5e1d52ac87568b
SHA167429dd323b366b585f1ed02ef9f741b3055b617
SHA256ea935ac88c45b94aafd71dea2e21af87551440ef58bbc20407bb56815b38737d
SHA512d595c14767b6149acbc90fffc79e91c9a0777d7dc8803077463691bfce1c50f14af7c09feb8ab303ba70fb67f26c94f2f384ebfd390d4d5fea45fd39573489be
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
9KB
MD582038df8889bd7e6384402f0a66c2014
SHA16db036352f15a1636cda2b8aaad45d2cd28c7d08
SHA2568c92dbb34cbfa71dae4226e7ac2329b8881ef3c8f197370ad53c024038f65537
SHA512611e3bb01c5b59307ed50081b3668888d2f94e5c222dedb355195c67d3d0c22b104734b8ad8bbe1a7134401a0c1f5c4f22ae489227d7a57c3e10a9f5bc428896
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b5372662-bed3-4352-b459-6a3bca2a8d3d.tmpFilesize
9KB
MD55018a4bb9fb59db472afa31025923e7a
SHA1689356e0e01b02d9c9515119a567dd3daac67492
SHA25697050626a3069cfd8d32b9ca577b3fba3460cb60b2f7c4b49341ab71df2681bd
SHA512943c6c61103830f27dc53672ace48cc1231fa672794c881c386887f96a2323d9cd33c54bd6bace091ef06083183d1c047b98432a190999163839bec0dd5a84aa
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
92KB
MD5e68e64227db81379685fb80e1de3264e
SHA125eb314af91acd3fe5ee8583373d56ed3f74ba4e
SHA25602a2bea8fb237db83aef1d6a8a993ea846c7c2a49b418d86cd75d658f1de9cd0
SHA51228505ec6d90e5a08ce2707d8f12ecc9e13e4eb8d57baaf24191d347d2a4b1a09e33bfb0a57baaa626a8e8ddfe026a1c7f5ef0c4cbcb445dee912044474c3c29c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
92KB
MD56a8eb8bdc73425065443e1fd3320f64e
SHA1492b91b8d8d8550c4e204337fb478613aaf263e0
SHA25686d77efd5286e7e5f4cbfb451dc4d46d7fbc05e4f716a3e2dcdd2928ee6dd5dd
SHA512894684fc36e7a324b72df0cdf6fa89ede59c5f762d81760504ea143e2dad468c5e897016db49b2a9e550805162f13d1aa019f4a459ec4a11a5dd1aec4bc85637
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
92KB
MD55e8bb77d8ed0ec0cdcf308985edf90dc
SHA121e2fe9093ae0d03275c0768c7066f02a19e39a3
SHA2567a9293a2892c5931a2a21ec5f4d0d65a27ebdf6f450d5d9f228d139aac3fecd7
SHA512e1a03f9928347ed3798ffbb3b2049e3babf1bb06180ac9bacd81f819125ea06a45aaaeb269de34bc5f65347f919a9dd81f0e71d9e2349731fdb8c12ca5db3017
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5440c1250d6124793ac40c3ba9ae869b9
SHA1b82601b3c1420c90de4d8d381abe8fed44fb8e90
SHA25615ce5816eb05c3c4591b73a7297be5eb4b49ba040992494718184b84b407af97
SHA51210b28e8c7dd6a380cdf34ac21d624fa2a7458dea19d1e49f68f76520740bb416f035882710606279537455d6c243f11ec1587eb3dc349273bc6490aa5989df7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56d6046f979e593dafd4b8b1b49fddfec
SHA11e37f6d516feaabf08a6a3155b36429f3a12048a
SHA25624f5290e000de03f64091d19ff912bbf620ab3fed67aa1237bf1618d155b051c
SHA512cf57d956f98f26be475c8b940b23937110e734278d54d959e42e242c717b0c9e2282a50a6afe0c3c7bc71f050490dbb364554580a3969d2d4316be01c59938ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59622e603d436ca747f3a4407a6ca952e
SHA1297d9aed5337a8a7290ea436b61458c372b1d497
SHA256ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261
SHA512f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD504b60a51907d399f3685e03094b603cb
SHA1228d18888782f4e66ca207c1a073560e0a4cc6e7
SHA25687a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3
SHA5122a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\71dc6549-7178-4b9f-adf9-59965da14663.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0Filesize
44KB
MD5275bfac2f63309c4888b12d52b3a5605
SHA1b58c03c39bd9ac33e4d4021007c2b58f58d17b8f
SHA256f4aebcd0aa2ac278f327e6effc4350954db65ce4464bf1b6e76804ed74c88d5a
SHA5129556df41d5058d9726bbfc97d181b0d87dc57c68d2e62a725ad14b28f78957aea98014ae08c8f7cba270cce4ce16742ed5832f6b4163b403c919d79feb60f8db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1Filesize
264KB
MD558c3659271ffab85df6ad839acd88f84
SHA1515df31e8995fcd4fe36a7338edd151135d7d0d4
SHA2563b8f9991fe4d05646549f4f711f8be898a879e5b8124243a4eb347c968eea3f4
SHA512d2548110b90fda5b828857a4824d64b1fc55bfb3f16fa3c18cd7242fcbacddf2e4580ac3c8b7c9b8576a7506ea33b76b04e183e4105fe4d87bae3fc60bcba90e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOGFilesize
319B
MD542160430590ec0efd2ff0b6ca4741ab8
SHA1ceee6a3587325be0683c24326e7094380cae1584
SHA2567dadd3fd2abf4244b124e804c543a682bc30f7eb48cad1ccc31e752c03b39422
SHA5126df15242a527246dbbc64ca0d3ad585082765f38f517480fc104d1d5643bd98b98712f9bcc9e5687cac51aae7b960bd5b730b08f13b707233fbb1fbc6c3abb81
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider CacheFilesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOGFilesize
331B
MD5aba119653040d7474269e074aa528748
SHA15350c14de5884e1970c2bc774f3cbd5df1a2ed78
SHA25691e09475d9caaeccedab74d2c1a8e8d681a8436f30862c86bf5858ece2faa5ac
SHA51232d4f4463fa86c3c5aa1f89750fb3a1bbe8e8c20d382760ad15588d2f71bd9323aadb914e5e53be6de24c77aec7d6698c46bc027e774c8a605719298ef465eaf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
387B
MD50f83ba223be97dfb8fca6ebf4ca892f6
SHA1be0ae983ddea07e4560b2e1c1b41d63aaa07d494
SHA2567faac66b38eaba51c4add44374ccbd2ab066348eb6a469e39e2936a02e43a6b4
SHA512b8df4475475736d1035203e17694bcce15b61e0087e359c29831a0a605e7e4113c70a8b776fe7297cb9d04e43e33701a9141aff522cf7b16dd0cc5d6eefa81d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD50e2f0788cbd11d81d22f4205769abdb0
SHA155b11b33c08f3505f1814b721c7a09c7df6c7729
SHA256cacfbc43b81a5a9b31e8835be4909c276037f33fe4d532ca7e1e48fe1428c33f
SHA5127634983c57bed969688031f1d9e876f7f6750404cccbd87b43b08fcb64e2f9c9a518909155b68d3ac70dce9dfeae9d7269d66309d87988e4c63d4d87f30c1b0e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57ee69d033b630f987afa78b2cbcd0ae8
SHA161790fec8c650934542322b63da861628672f8fc
SHA2569a901fbb4d9f144738dd0b66fcf35bbd0567fdb59792061b01769776eff2332c
SHA5120dcc844166b78e2b34c915badc6d8cde94a75bdc3bdf2715e11dd30faf0b84b5899c8edd5d48ad80cdf53aca661f4ac6473ee48e8ccb53d8b6670d5746b0273f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58d14896086d440e68176fdbef202ad27
SHA1efff80745d60e2e18ca7fcba7e0ae77aff26db64
SHA256039dd5883387fc947e22cd8477809130693a87cc16e9ee6fbf6ad495306b3ce3
SHA512826ae2670380fff43fa20ba5d7512b06b5db674b206278c4cbf69048fa48f56e0e50e45d756d4b99e197f5024c907b08f24cd9318dce7ed9ed6a641b75d884d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56485d128f588e86394362b769a50b4d6
SHA110d7ab62f924c3b749cb15dcb4e4caa557b4bad7
SHA25624d453492af885edb6e7266b92429cb16582cd9036517217c5aab2a1376843d4
SHA512880c08bb885a4f55d7175e2f8cae454e47b922202d064c5a7e71fc47af92e66d110278d6fc190b818112a73dba7f912826725ae0f98d8853aba0815c49ff7830
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e021266e35c0c71ef347b4caa602960f
SHA129173830979a2881430fe62e211253f8c23589a3
SHA2566c322773fd557fd85323b3e5f27d5ef68ca824573bffffe6b4fa07131076b93e
SHA51266b524f31956d7013744d5b0cba673d60931c624d78debecbf92ede23f2a7b950077bddecf874917394729dca8b385d01f69c8555ce9ca01602bfd8fb31fc1e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.logFilesize
156B
MD5fa1af62bdaf3c63591454d2631d5dd6d
SHA114fc1fc51a9b7ccab8f04c45d84442ed02eb9466
SHA25600dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d
SHA5122c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOGFilesize
319B
MD597ced44d95544deb7a6d09b9f2175c41
SHA157b56bcdd3ee124d06bc7bad5ed48219fb57eefe
SHA256e42be6207b139c4a5a7802743b1df2f21b36247a8537b8c04b528294b0a9a22e
SHA5125eadcf775b0703eaaf20c662ee8a25536faecab2d1fcd82b7b4179c0f765df07f349c6e9507fa5aa3e800ac4e1fc26bc8b9d72c17a6cf9d20ee1cac19ebf3330
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13366830204099134Filesize
3KB
MD506da3154b04de06161910d96b3847016
SHA16c70886929a880c000356474fed5734673f71756
SHA2562905b4721f2c0d8a78471cd87f59bfde1b68a9e05b699e8c0b7c03063102fbea
SHA512076a96436e829fa0ac20e32df07e517afd575b8342359fe94f0c3209f5db360df60253f92310dd77dce51b42bc7216cd333987fbd1d48b89faee653271ac1e91
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13366830204341134Filesize
3KB
MD5993f44487f7e469f9f02142d7c11acc8
SHA154edb8bd3bca945e6de7f4e0aaa781b19fd1c222
SHA256ba36a0158f1c380ee01c1be1737ce29454a91c6df819e1414d6d6371f9952c82
SHA512522f7fc47d77207d5789a3227254ee4ca05886d975e70b62432465c8ebc9f46e50984a75168013258f4a064f527d29818ab212a89f931e4001c0d8b6c1876363
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.logFilesize
112B
MD5d4083162e50e29de6ae3a3f6042deab2
SHA18079a51380f02ecb7916f412f02ff47f92417110
SHA256ea662f1219cf2f335613090419a6af229a6664e4d3e50a81696b00d8bbbf3127
SHA512902812c44bd976f98f8795630eb07353735f962ba68b2f7b3dc7972332ffbb483a78b00fe6b106449d0d2802da6ec458eb81ef0346ae213907c6f8de792e501a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD528683fb7c7924f37a45716e49909d631
SHA1a540f8afcafe32aac0c69f55be4e1a7a1bae0558
SHA256af00ca552482c52c5304ff04e7c9f115651e544762f32d7c3cec60c9c21097af
SHA5126d148279711f59089d4a08089c9b54078fac99c0fe5979131e30c22c4841c1770874c7f2ff5a2fa1f52f1cfb4468da613951683cc19086896040878e6ad3cb5f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
323B
MD5a581e1023434e42b85bf42785f904ff2
SHA1e8ec56cf2feb2fdcc8405aef25b39ff73475435f
SHA2560e242621d751f1901a4575d305e1f61fb3b73c93ad23c4bebeaec7db396325e7
SHA51241b08b226f958976af7e584e882a5b3c71e455a5e26f0f61fe7fdcdadf7c825f1501cdd68c5ef69ec588e6716aa384ebe8895c2c41235c43fb7ac27b882d30a9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.dbFilesize
44KB
MD5c966ac0e0ca84b2e2c0a4ec3dc5451a3
SHA19c808db5ee751380d4b99764257f5db7edd42679
SHA25670cf85a45da6d9dc6ce00edd610f9ccd0d51d5afc509f2387ee5fee4327ca668
SHA512b1e3da668f16d9337df871ba878ba43ae202e67940dfe12abcae13caf56976fd1ca2c7f5252ca075e9bd6a80af459e6c68ee11a41c7015b95e244b00e2e8e349
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.logFilesize
187B
MD589a35176613362c803783190cd0d63ce
SHA128839dbe70afa392b017de5a51698c0a23f5339d
SHA256355bb962f7b25a39f60a8eb3d081fe43283e5c24bdd87c311cfafc3d88856d8b
SHA51259e277bf27c52737833e48780be3cd89fbcdf3a0b2db681529a376e5cbec4dd4cc2840fc6aa1614bd003693aeaf10c7829cd806847923d7a8a9b230a3e0fde74
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOGFilesize
319B
MD50dff56ee29836e18f5f6f22c502d2e4f
SHA1e1f4cf07d6ff4927501341f8bad5dbccb610a25f
SHA2569fc75d01a59f5b0911c671d8009a791bbe37fa363457a6ee20e6408844f3d227
SHA5127e0c9beb258a22a8763dbc47f9ace54f9f11be97a47336895826f4bb05d42fd9afbd922215955c10c2906ac0635fb0cdfa6dea1b1bfe2ed3781e339afed3465a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.logFilesize
594B
MD5fe35b995f2b2cee1623927ab6116791c
SHA10965e25f9066c3a85d3b7eda845484ebd4ba5f30
SHA256387ebc08f93ae538f9bfa4e127537deeb4b240d499e5b93fccfbf945a3cf4d43
SHA5124bb7dce46a879768b3d1cb89a9b8b3a1be3e79893f21009f5c11303ad17e1002e8fc010efb93bddd2c9474cf040a7a7ce7854ab07163dee961845164f4367e64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOGFilesize
337B
MD539eb0dcd2c52bb0847a7662ed6c98dec
SHA134c9cc8d0cc37b225e692436564a1c4cfca2adbd
SHA256fe4b588a45bb0a50eb0556fca77b4c6e334f87a61d71709943257e0e0b33a056
SHA512f706debccec00996580b0ea1d62e31e7d93a42d8c3fb49bc0dafc185843c947493b213b91486cef0af665e97edec0f90f6468a51443f5ed45f1dae34bcc560f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0Filesize
44KB
MD5bcbd14008a9764f3cf2b53616317af65
SHA1cbcb81b793cfc717d198d965a8660e54ad64b5fe
SHA256652383df7a8d2695632137fc2621762a01ac21eba0fbeb88d86a36728555358f
SHA512ecb136e16707683bbb02b792c6f1bbc06f9d3f5cb41aa9da3858fd63ff37a606240523576b1347be3556d58cc4e36dd75bcc0f7e93886b3b6e80e23997218214
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5e22cf59b2335b2840a356391da6a2ea2
SHA1b4959f936707f98456803b445f424a1770edde35
SHA256f5901dfaf97d73a309bcfcb1da89f7468d2fb2acefd5cece771f6e49b89cf3a3
SHA512523207968b5c7064cc7cba18a0d18a12f5fbc2d1ea31c5810013bf614c8eb53b3b792ab6a3af56cab1c99be53b8e181b514146ad2a3b1f8e7b35409cf4629fab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3Filesize
4.0MB
MD51f6dec65ad96bdafd39d5d154b6559e2
SHA1b2a3aa3e55737ec6eef7029dccc94a111d60785d
SHA256e1f51bc26c82b709fb70ee6cf7feba293435bcaf92d2524cd64bbe5807a77088
SHA5122c1c839f816fd5b901492a45ac43e50244eef22ddc6774d45598422ad76925c4a815e1a3c04a70f50cf1176bf8d5b3e85776f50fc8bb96b615dc5f09586331e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001Filesize
22KB
MD51ac9e744574f723e217fb139ef1e86a9
SHA14194dce485bd10f2a030d2499da5c796dd12630f
SHA2564564be03e04002c5f6eaeaea0aff16c5d0bbdad45359aef64f4c199cda8b195e
SHA512b8515fb4b9470a7ce678331bbd59f44da47b627f87ea5a30d92ec1c6d583f1607539cd9318a5bccf0a0c6c2bd2637992e0519bd37acdf876f7a11ed184fb5109
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5804d0f0df6acde182816e730cd3ce799
SHA15d391d46adcbdc3a6a3a594fe56e9d28040a5a66
SHA256c48248e145c6102073cd905c453c7f48d274bc2aac7a5b88c303db57e2a550ac
SHA51298c4c1f30bf1af8313207fa1affb3a50f174c5f0ab030315c45c78b6f26a770820d5503f7b011feeb287cb49f974a16b9e9584601db13db4a530b0126e491a86
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD593eecabd5f83761014cd20edbaa2af43
SHA174818bdc911e8448ced54f790de3d3aaf4c99aef
SHA25610ec0666680b8e021aab6e7fcade52ab00998b6b8a6d287f09e7bcc0e1176aff
SHA51242d0d6078f4952a4083335c89430bf07a582c4887c8c1b5d7018c5629c0f5991f7fdf235db2a176b906a93ae6dd88101246a136de0940655077418b7668201cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD517887c41aa811a6ee6b59ed58a3e930c
SHA15168e11f556d28a4968d07bad9933d7ac49f6904
SHA256a439ee972b7d8fbd8066298a1ce7b94f5369808784d0df850812f77f338993c7
SHA512298de65b80100270d4d69db0df589c79fd6d6735e3aeb2b20df73f8d3089a88459e8ead6474184310a162ee54751c927f779e8a645ee7926e1c0397bee817c0e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbresFilesize
4KB
MD5d2ec49eac73963aaaa55e14f1d4c75ce
SHA10719ff3d4e9a3bd5f8688b42c027f44c3c5e54ea
SHA256fb20a873ad03d8d1cf82f23962a47dc2556975fe2ebc697edc02d956f26cea89
SHA512469c81b3d21207c82ca9d27e912dc8fe0f826717588a313c53eb73dd77c0e5740410d330c7898ee78d8b4933088c46e7439deec9e97d4ef1dd82cd82019da81b
-
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___292GO_.htaFilesize
75KB
MD519055ede3f4b429734546055cb1af741
SHA1db1d970e96e183a47af5ec8b329733c14822941c
SHA256a44211d8222029dd3f4126d59a266d2af906647882eac6068d027f7bfdf72bec
SHA512eeeafcfe1f30bee33b4f611f0c7eaeb2c8cf605df0f6e881320f0fc66b931451a0feaa7282a607fa8e6396b08d6f57459e7e1da22e4f70b64cc81ccd3060d3d6
-
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___H4OGCN_.txtFilesize
1KB
MD5e37009748b4b96b2a219d13d504581b0
SHA14f7f76dff6943957514c1cef5dc99f2ac0ed416c
SHA256539978063c75bacc45d7341a55ecef255d250543905927850b70911c6a464109
SHA512bbf2a5fae60b79987547adf7d35507fa4fa429996476522af613cbce45790b4a1ad41993a5ad948dde7fc8d9acb3d7d10012a7e479518e51c81caa1bcc3f1628
-
C:\Users\Admin\Downloads\Ransomware-Samples-main.zip.crdownloadFilesize
15.1MB
MD5e88a0140466c45348c7b482bb3e103df
SHA1c59741da45f77ed2350c72055c7b3d96afd4bfc1
SHA256bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7
SHA5122dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431
-
\??\pipe\crashpad_4452_WRUAHKDCMCKHXROTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1196-675-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1196-684-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1196-717-0x0000000000440000-0x0000000000451000-memory.dmpFilesize
68KB
-
memory/1196-301-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1196-715-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1196-285-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1196-284-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1196-299-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1196-283-0x0000000002200000-0x0000000002231000-memory.dmpFilesize
196KB
-
memory/1196-297-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB