bfc092b384976e97153bae0e29359461bfd65fce5ad8188d6460de57bc680eaf

Resubmissions

02-08-2024 12:16

240802-pfv69s1drg 10

02-08-2024 12:15

02-08-2024 12:14

02-08-2024 12:06

01-08-2024 01:57

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Size

146KB
MD5

2357ecbcf3b566c76c839daf7ecf2681
SHA1

89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58
SHA256

0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305
SHA512

bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401
SSDEEP

3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note

~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3CEE77F3E7BDC69C63 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!

URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Signatures

Renames multiple (631) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation	A51A.tmp

Deletes itself 1 IoCs

pid	Process
4024	A51A.tmp

Executes dropped EXE 1 IoCs

pid	Process
4024	A51A.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-195445723-368091294-1661186673-1000\desktop.ini	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-195445723-368091294-1661186673-1000\desktop.ini	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPatfb_00qdbblnm3_3zvikgjm.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP80dwi0rhvhtr_4ggnxdf_jabd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPz6aupaao8qrxoyaqhaeyvz4td.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7V7uPExzv.bmp"	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7V7uPExzv.bmp"	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
4024	A51A.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A51A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\Desktop	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\Desktop\WallpaperStyle = "10"	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133670741783134171"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7V7uPExzv	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7V7uPExzv\ = "7V7uPExzv"	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv\DefaultIcon	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv\DefaultIcon\ = "C:\\ProgramData\\7V7uPExzv.ico"	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
676	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
992	ONENOTE.EXE
992	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp
4024	A51A.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeDebugPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: 36	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeImpersonatePrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeIncBasePriorityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeIncreaseQuotaPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: 33	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeManageVolumePrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeProfSingleProcessPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeRestorePrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSystemProfilePrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeTakeOwnershipPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeShutdownPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeDebugPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeBackupPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Token: SeSecurityPrivilege	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe
4612	chrome.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
992	ONENOTE.EXE
992	ONENOTE.EXE
992	ONENOTE.EXE
992	ONENOTE.EXE
992	ONENOTE.EXE
992	ONENOTE.EXE
992	ONENOTE.EXE
992	ONENOTE.EXE
992	ONENOTE.EXE
992	ONENOTE.EXE
992	ONENOTE.EXE
992	ONENOTE.EXE
992	ONENOTE.EXE
992	ONENOTE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1248	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe	89
PID 2328 wrote to memory of 1248	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe	89
PID 4912 wrote to memory of 992	4912	printfilterpipelinesvc.exe	92
PID 4912 wrote to memory of 992	4912	printfilterpipelinesvc.exe	92
PID 2328 wrote to memory of 4024	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe	93
PID 2328 wrote to memory of 4024	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe	93
PID 2328 wrote to memory of 4024	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe	93
PID 2328 wrote to memory of 4024	2328	0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe	93
PID 4024 wrote to memory of 4836	4024	A51A.tmp	94
PID 4024 wrote to memory of 4836	4024	A51A.tmp	94
PID 4024 wrote to memory of 4836	4024	A51A.tmp	94
PID 4612 wrote to memory of 3848	4612	chrome.exe	109
PID 4612 wrote to memory of 3848	4612	chrome.exe	109
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 3980	4612	chrome.exe	110
PID 4612 wrote to memory of 2260	4612	chrome.exe	111
PID 4612 wrote to memory of 2260	4612	chrome.exe	111
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112
PID 4612 wrote to memory of 1572	4612	chrome.exe	112

C:\Users\Admin\AppData\Local\Temp\1\0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
"C:\Users\Admin\AppData\Local\Temp\1\0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:1248
- C:\ProgramData\A51A.tmp
  "C:\ProgramData\A51A.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A51A.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4580

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{8451FDF0-5DAA-4D1E-A498-BBF80B3705A0}.xps" 133670740383980000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ConfirmOpen.bat" "
1⤵
PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ConfirmOpen.bat" "
1⤵
PID:3672

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\7V7uPExzv.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa81a5cc40,0x7ffa81a5cc4c,0x7ffa81a5cc58
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,1039736074380907214,14499469095779641953,262144 --variations-seed-version --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2216,i,1039736074380907214,14499469095779641953,262144 --variations-seed-version --mojo-platform-channel-handle=2436 /prefetch:3
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,1039736074380907214,14499469095779641953,262144 --variations-seed-version --mojo-platform-channel-handle=2460 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,1039736074380907214,14499469095779641953,262144 --variations-seed-version --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3304,i,1039736074380907214,14499469095779641953,262144 --variations-seed-version --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,1039736074380907214,14499469095779641953,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,1039736074380907214,14499469095779641953,262144 --variations-seed-version --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,1039736074380907214,14499469095779641953,262144 --variations-seed-version --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:3792

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-195445723-368091294-1661186673-1000\KKKKKKKKKKK

Filesize
129B

MD5
357d1db6764c0aabf19c5b18a99df49d

SHA1
273849e1298a54b022f69c6c652270f7054d5f61

SHA256
2f404bbde2c94a96351685b2145b1ebc043bcdc1051f8980e16c05f529dc428b

SHA512
48fdf2d6cbbb1dc4ab582dbacbd627b799b28066000733d9f74a382596e2ecdc18e8f07c16476af05e081f0ce87201339cb0a6b543d02967d2737f44a6a9134d

Download Submit
C:\7V7uPExzv.README.txt

Filesize
1KB

MD5
bbc0e75b4fcf8406b54b981a42f6c169

SHA1
6f2b22dce076226cb0d2b73d25599aacad44de0a

SHA256
a7c18ed2b878cfb0163a700b2566383b776998b4ee7ca8ef6dd990e1ca5f5ff2

SHA512
536a95c23c59f4d385278476163e15b1749b4069949dfed26dcfd6b5c465d02e3534bb6cc4a0fc927b55f4921b2a9007576b7107d1ee06165e75694f39ecbdad

Download Submit
C:\ProgramData\A51A.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66A9131F-C28.pma.7V7uPExzv

Filesize
4.0MB

MD5
aa270d7f5eee843b83690109d4146796

SHA1
50b2e58288471fa8f72b73d4b2685d83e7032d3a

SHA256
34412b57d3eeea6a7417ce90f53c4ef36f4a1a55204ef1f5f1114e75d5c07aa0

SHA512
3dda1e034110d13663caf82bba96623642e8a54ee678f4dac1015032aa59c0b835f279c01f2c2b7fd68517046420b42ed2a35b682febf9c2bd76a45228981e7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
82ed664f77c2e9c54171b833ccd850ed

SHA1
f9d40030b6237edac5eef7db7e2015fea3ff41ad

SHA256
ea053dd04bf10c8aecdbe19f9a2fde1f4e7b275d0ee621daec1361e0f77d7306

SHA512
1612f1be62b31a88f5e8e591f2c864dbe642b17bd19d1f4fc42ff051dbc33f1ea33b55f6bca1e1a359d81805230b39d5fa7d5a050f309ea08e622736c6c51cd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4a90831894c580986c900130982b6688

SHA1
a522d92b66ef7e0de22a98f8721fbf366215d212

SHA256
cede880a0ed239c4ca8d21f7f7043f4070e046c2085919a4b457c28a7ad96a8a

SHA512
38e477a52633d8c97fd0f54c4a4bd6fcf040cd60d2f936c7e59f19872daf95678ab1214dcadf239fa299f04b2c2afb47f1f2beee40d6509843c3ddd481c6233e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
51769cc9505c566871c1bab5beac786f

SHA1
04caad9c5be7d1ac85ee2a16efc5557c74353eb0

SHA256
de3a97b53a45279aa10289d21974f5550cb239802387c6e82582091bd5dc11d3

SHA512
e7238a64ff36286042e96d730f64b32f9d78f1a838841a69a045c363381fe882ec19d6f5662a3b36bcdf73533afab0385e150eb951cbe425699d2910151f7e61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1808301f185984c62e2688b4791579e4

SHA1
951f3f782e1cd8dce51e75d4d580a3e1c556e626

SHA256
9aea870172324c532313e521cdd4baaefc5731bf255b80301670866a90cd4b79

SHA512
5a68ce835015e31d1dc5458e452734a098d4c75a96b0b7f77da5d50e4abb03b6ea77be32450531c3cfa438092728cc65e49df22bd8b2753cba3b8263367152df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0162f362809ddf840a78647790fc4671

SHA1
0f8039f23e06c64fa62e95c597548ed06ac2fc1a

SHA256
60210ab0d8d2321429610f55d22416350c769e9e1f761d8ffa5cd2e1f95393d0

SHA512
e42e562b1a49007bf361e35097fbf885528b17e602c022e3c36f8e7b38991e10db2a6099dccb7c75ca25424c2493c885c62e2c201e05a635b04e0ca32e200f19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
fea4d3f8cb9c5dd25781e0d54de8607f

SHA1
f0c799e1ba78756b60db43e80319aaa0fb75fd64

SHA256
8f51794f9e334ae3e5f75ffce078560bc90264b9b49f6734fd76b8e3db4e2df2

SHA512
88f594c58691bc05e6a30bbd53fd795e6c50966eaf9213c2e30583f82a155fbb5a30f34218a39e3aa562e33d8fb0f84b59ffe43b191d1b501f48e4e4c36e9626

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFe59b879.TMP

Filesize
941B

MD5
c7193fa5392f09918d75bab422d4c5f5

SHA1
6cbfede163d64295261acaec4a2412447baf4c2a

SHA256
7b415d9935518fb8edaf507fb357d48b9728df5ef6b855335103fd4dcbe28a4f

SHA512
2c23b98b12bd3c2eca26573530ec337dbf11cd4c01ece0da614b9f0e1b7dafdd72b5d9f4f2cf784838bad71942601043a6a32e5d21989ee729a06c2e34e2bafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
146KB

MD5
98dcd1eddbfc4c91ea33748f95739648

SHA1
51aeed3202e3d46f83e3d5d43ba41463471a72f9

SHA256
ebacf3b13c727da0bf0bb8bff03d7189716e593f51a2f81435ae7b007c6bdb10

SHA512
5ca9d27f107e755f9858d7057888ec9df054b2ef9d4340e1722f49ba4f836e5dbc8d5883560f7e5be62338ad727a99b2287b81e9725ea6f0619f32cfca3a6089

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8429E8CD-45C6-4A58-A1EB-5C35C3D2C3A6}

Filesize
4KB

MD5
d8339041c4083997938b7ad5b37e51cf

SHA1
4624ea87c6bf433e0ac71490e99302c2a7a7e996

SHA256
8568ca293e7a05bc96a773aa87b61e425b85d0a933ffe107ef0923a8fb04afa1

SHA512
26f8455fb35051dfd55df79a5692a4a534692d064182c7f53e2f19e21308e4bd023ad9c81db7523d48962891726851b4b3ea81e786f99618c150a33a1dc5830c

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
5c0c9355bae337cdaf79cfd700945669

SHA1
4800b5b38d00896389ffa928029c47cce2a6fcd9

SHA256
3246eaf99b64a4f7a310a0a4eaa41acb6169701c051397a635a8b33715f51b10

SHA512
42fddcb432d2ea2f31347edf4afcfd394400aecc5ec8b105d5b27ebed5988498566e57d0f90d44ce72ab71b46612c5e2fabffedda17ddc390e75ab81bd9ca1ce

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-195445723-368091294-1661186673-1000\DDDDDDDDDDD

Filesize
129B

MD5
e235dfd274775729efb0e32f3e485afe

SHA1
4730420a0fd8476e10046e1758ba9768966cccc6

SHA256
af9989b89d34bcce28976aa804ac45ac9c0523f2004753d930359a92acaf02f9

SHA512
d0e67224e0c7ba3c1895fd45c47b3ae5acdaea577118fc2cad23a0f7db5d771608ffeb5af886763f74ce9abadc87e60ced737b9cd08a3cdd4be3d42e49a087fb

Download Submit
memory/992-2837-0x00007FFA488B0000-0x00007FFA488C0000-memory.dmp

Filesize
64KB

Download
memory/992-2835-0x00007FFA488B0000-0x00007FFA488C0000-memory.dmp

Filesize
64KB

Download
memory/992-2904-0x00007FFA488B0000-0x00007FFA488C0000-memory.dmp

Filesize
64KB

Download
memory/992-2902-0x00007FFA488B0000-0x00007FFA488C0000-memory.dmp

Filesize
64KB

Download
memory/992-2901-0x00007FFA488B0000-0x00007FFA488C0000-memory.dmp

Filesize
64KB

Download
memory/992-2868-0x00007FFA466F0000-0x00007FFA46700000-memory.dmp

Filesize
64KB

Download
memory/992-2867-0x00007FFA466F0000-0x00007FFA46700000-memory.dmp

Filesize
64KB

Download
memory/992-2903-0x00007FFA488B0000-0x00007FFA488C0000-memory.dmp

Filesize
64KB

Download
memory/992-2838-0x00007FFA488B0000-0x00007FFA488C0000-memory.dmp

Filesize
64KB

Download
memory/992-2834-0x00007FFA488B0000-0x00007FFA488C0000-memory.dmp

Filesize
64KB

Download
memory/992-2836-0x00007FFA488B0000-0x00007FFA488C0000-memory.dmp

Filesize
64KB

Download
memory/2328-0-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/2328-1-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/2328-2-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download