akira | hxxps://vx-underground[.]org/Samples

Analysis

max time kernel
383s
max time network
389s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
08-08-2024 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vx-underground.org/Samples

Score

10^/10

akira discovery execution ransomware ransowmware

Malware Config

Extracted

Path

C:\Program Files\akira_readme.txt

Family

akira

Ransom Note

Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/. 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion. 3. Use this code - 9082-PU-MHCL-SUUG - to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

URLs

https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion

https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion

Signatures

Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
ransomware akira

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	4388	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	4388	powershell.exe

Renames multiple (3665) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell command to delete shadowcopy.
execution ransowmware

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3508 powershell.exe
288 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

iphone gratuit.exeiphone gratuit.exe

pid process

4180 iphone gratuit.exe
1256 iphone gratuit.exe

pid	process
3508	powershell.exe
288	powershell.exe

pid	process
4180	iphone gratuit.exe
1256	iphone gratuit.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

iphone gratuit.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	iphone gratuit.exe
File opened for modification	C:\Program Files\desktop.ini	iphone gratuit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	iphone gratuit.exe

Drops file in Program Files directory 64 IoCs

Processes:

iphone gratuit.exeiphone gratuit.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1914_20x20x32.png	iphone gratuit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\MedTile.scale-125.png	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Fable\fable_background.jpg	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\call.png	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\rock.png	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.387e40a3.pri	iphone gratuit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms	iphone gratuit.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\uk-UA\MsSense.exe.mui	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\_Resources\index.txt	iphone gratuit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.DLL	iphone gratuit.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\akira_readme.txt	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-24.png	iphone gratuit.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\akira_readme.txt	iphone gratuit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-oob.xrm-ms	iphone gratuit.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\akira_readme.txt	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_BadgeLogo.scale-200.png	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Premium_base.jpg	iphone gratuit.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml	iphone gratuit.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\akira_readme.txt	iphone gratuit.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\akira_readme.txt	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-36_altform-unplated.png	iphone gratuit.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml	iphone gratuit.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\akira_readme.txt	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\friends.scale-200.png	iphone gratuit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\akira_readme.txt	iphone gratuit.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	iphone gratuit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\BeachDeck4.jpg	iphone gratuit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Pitchbook.potx	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\opt-in-ad-popup.wav	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\resources.pri	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-400.png	iphone gratuit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms	iphone gratuit.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\akira_readme.txt	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tm_16x11.png	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutImage.layoutdir-LTR.gif	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\LargeTile.scale-100.png	iphone gratuit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms	iphone gratuit.exe
File created	C:\Program Files\Windows Defender\uk-UA\akira_readme.txt	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODDBS.DLL	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODBC.DLL	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1937_32x32x32.png	iphone gratuit.exe
File created	C:\Program Files\Java\jre-1.8\legal\akira_readme.txt	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-100.png	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Pyramid\Goal_7.jpg	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-64.png	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockMedTile.scale-100.png	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-300.png	iphone gratuit.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_2015.7906.42257.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\akira_readme.txt	iphone gratuit.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\akira_readme.txt	iphone gratuit.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mip.exe.mui	iphone gratuit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CACH.LEX	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUOPTIN.DLL	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore\Resources\Assets\RT_Icons_Popcorn_42.png	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\_Resources\6.rsrc	iphone gratuit.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\akira_readme.txt	iphone gratuit.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Pyramid\pyramidassets.xml	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\MapsSplashScreen.scale-125.png	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-GB.PhoneNumber.SMS.ot	iphone gratuit.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Fonts\MapsMDL2.2.01.ttf	iphone gratuit.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man	iphone gratuit.exe

Drops file in Windows directory 2 IoCs

Processes:

SecHealthUI.exeSecHealthUI.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4272278488\2581520266.pri	SecHealthUI.exe
File created	C:\Windows\rescache\_merged\4272278488\2581520266.pri	SecHealthUI.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133675952505256268"	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

944 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

4412 vlc.exe

pid	process
944	NOTEPAD.EXE

pid	process
4412	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exeiphone gratuit.exepowershell.exe

pid	process
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1620	chrome.exe
1620	chrome.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe
4180	iphone gratuit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

4412 vlc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1848 chrome.exe
1848 chrome.exe

pid	process
4412	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

chrome.exe7zG.exevlc.exe

pid	process
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
4900	7zG.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exevlc.exe

pid	process
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

vlc.exeSecHealthUI.exeSecHealthUI.exe

pid process

4412 vlc.exe
4968 SecHealthUI.exe
4528 SecHealthUI.exe

pid	process
4412	vlc.exe
4968	SecHealthUI.exe
4528	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1848 wrote to memory of 4808	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 4808	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 1588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2328	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2328	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe
PID 1848 wrote to memory of 2588	1848	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://vx-underground.org/Samples
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffdae209758,0x7ffdae209768,0x7ffdae209778
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1544 --field-trial-handle=1936,i,8195651182780782377,3503151781533244222,131072 /prefetch:2
2⤵
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 --field-trial-handle=1936,i,8195651182780782377,3503151781533244222,131072 /prefetch:8
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1936,i,8195651182780782377,3503151781533244222,131072 /prefetch:8
2⤵
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1936,i,8195651182780782377,3503151781533244222,131072 /prefetch:1
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1936,i,8195651182780782377,3503151781533244222,131072 /prefetch:1
2⤵
PID:3828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1936,i,8195651182780782377,3503151781533244222,131072 /prefetch:8
2⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1936,i,8195651182780782377,3503151781533244222,131072 /prefetch:8
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1936,i,8195651182780782377,3503151781533244222,131072 /prefetch:8
2⤵
PID:1220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1936,i,8195651182780782377,3503151781533244222,131072 /prefetch:8
2⤵
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=976 --field-trial-handle=1936,i,8195651182780782377,3503151781533244222,131072 /prefetch:8
2⤵
PID:4320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1936,i,8195651182780782377,3503151781533244222,131072 /prefetch:8
2⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4660 --field-trial-handle=1936,i,8195651182780782377,3503151781533244222,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4056

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\8bfa4c2c1065b105ec80a86f460e0e0221b39610109cc6cd4b441dd86e6b4aef\" -spe -an -ai#7zMap16931:188:7zEvent20640
1⤵
- Suspicious use of FindShellTrayWindow
PID:4900

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\UninstallConvertTo.M2TS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\8bfa4c2c1065b105ec80a86f460e0e0221b39610109cc6cd4b441dd86e6b4aef\citeste.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:944

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\item gratis\citeste.txt
1⤵
PID:2080

C:\Users\Admin\Desktop\item gratis\iphone gratuit.exe
"C:\Users\Admin\Desktop\item gratis\iphone gratuit.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2800

C:\Users\Admin\Desktop\item gratis\iphone gratuit.exe
"C:\Users\Admin\Desktop\item gratis\iphone gratuit.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
PID:288

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\akira_readme.txt

Filesize
2KB

MD5
684eaf6c260ebe509bcf23f9e8cdc4cd

SHA1
582686aed21eca230ddf7b6697886a3238b2a857

SHA256
29b10f960c532a1588984c98fcc3986bda42fffee1415dad821ae1e933594119

SHA512
da069ba04479330238fae185a2f1d168cb709071e57b6cb17c922eb1212fca8b14fc60e087dba391ff4ad807a458dd73533d65fb860f6a453c939c6ef65a7993

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
a2a7510c97d693b45e10d61b9cc39401

SHA1
a3f5e9e34b790bc312e7700d2fb171f671250f77

SHA256
c90c057d1f2eef14e5b3c9a6b207251f242cb9d60393f3e95b915b8f9626b5ba

SHA512
d9e5bd6ecb13000b35dff4b0926f7b5532eb9987962204b97982c3a0a7294fb1ea0b2c3d7cd630470e431d44243a7eafc60a9be24dbb3d9163e46b3ba1848e51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
b75d50f8535c75886f86167cee842a2d

SHA1
3f979baf32cf8633614cf6c4a2170baf2142d0ab

SHA256
6dd919e4948baf446492029c75e72c3be152d8c802d05dfb1ece4f829bf7daae

SHA512
09a6345fc910e1afe1ada8d1b868fc98a2b90dd466d85c9eb34054858b488afc37312c90e3ba7b6eb26ea93bcce1b202a8ee6c0196d03b81917cc31c5c2b74aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
684B

MD5
bb65094ef7aa003c79399b9d34196fba

SHA1
7a35af1a36b6d789bd1d3b1c170505c0108f85ac

SHA256
b1a3a6f9dcb619c4857bd224d90f0d1e97da6b26511bd567db1771f0bccf6270

SHA512
1f3e033065054409c13d5850da7cc2b2c070ce281a57eb973b2e649ce63da4855887cc4c7af041dfc862801bb09f5a7857d05c5550d8ac470a83ed82c182a5c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6bb956b935afebc0ad725e2a6dcbf6b8

SHA1
0700b948733a5fb4750a155ff030b7a79a92c8ea

SHA256
89710940c0d4b74a9ec338e5f17bcb3868fd161969d2c10839f317bcda1c6fbc

SHA512
0c8be9aee2d690a30244e921eacb4fcb518505fbc68c3ff642cef709f58a52e21715d2f441ccda4ab117b1e550eaf69a704ac430cf8150a62e6f52bbe8b4aba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
77ff5bb58a8c1dd24c5c33acb9e8883a

SHA1
003bcfebaba4f20309af9e477c3b74962c5cc552

SHA256
7aef8fa8ca06602abcd2ac92ffac34b91b139a05a523f107ce07ee6c7b040c8d

SHA512
01a25c9e1c82765f1cc2c2d9a60e46d69aee16d242f976c13b93eab23301d5f90505508d9947def7312573b788ce419dbe853f7fa998aab3bddbef261b4b8df1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2841e3af4f6790aff9506d87822648c2

SHA1
c12caf7321577fa444dd150918e1832dbc95d948

SHA256
a556b7ac053667c25b74165faf26ae6159074405d2882752a0c24c0ca42efd5d

SHA512
402ba8448f97944ee128929b62b26a047a764b77f1351d43b5d6a2230afa0a2bc036b25d8e4024eb7e9a746b867907b6c630ea331e4f70c606df0c2daf88affb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1ca53e457834b4682ec1b2c807c65c50

SHA1
9b37242255bea868e15eb73bc9060942bf2a7972

SHA256
550597b4b4460d5348f83bb9d04fb56faa64d260b2ecc6605438a3347b7378e0

SHA512
d1fd54ec369b9cdd603954ef804f0db6384ffcaa44dd46a0d334b6e8a5c227d846a41506d3d47a61b9aa1dddf9c9aa50123b56aa3a7d3b4c242a71f2ad5b14ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
afe36501df3336725ce23dface49b5d9

SHA1
04a98b7ab9d7f528e69c12050270bf8e22d8930b

SHA256
51750b4ceeb6a9d6007ed0b8c52c3c0160b2a9697192db78d69dc7b3af29a982

SHA512
8e1754f3add85bbc7483a4be3b0f80e59bc310dae4b7a2f04f9d307d5ca7a6ffeff17340a4e98a52a042487dcab7539d084ffdc51b6d99918fcb2be0b3132381

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9bdf574c088e2e40c08ca738e4f7a885

SHA1
1623505afbc258859a81e6283d84f0b0fa9e6665

SHA256
9f5eb5ea8f757f4e73301ea2026c8c346949ddb10c7adfc6d259b4c2125843fc

SHA512
d5099f389bad357a1f6d64f17f29647c30284285e2e92ea0429c84a77f5e086eed76faeb6617653f3df52f0ac63cb5d73000decc017d5d1e0494b6825b3b86d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
cee06a1d5127ec7e92c8d639bfe4dc50

SHA1
114090e9449152c1d2b03cc394a0d0f72b6f4afc

SHA256
3f8ff03a19c123e8c7b33ccf6c731f60abd0eeb4162040ff288861fbce019d79

SHA512
4ed90e11eac8de3fb46f596850368d014b4fd170c51a72d6fc10f57b51181df7713eee9f49c493276493deda695ad9a51ce1ca9fe340a4c6d06626c807a1c663

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
222KB

MD5
ccf436771ec3c92db703296dd52c3540

SHA1
be42af3315b3dd22394d1efcf54bcde1a4092e1b

SHA256
bd3a1c67239114bed6052fadbbbcac62cc27f1bb29ec161bce898187e21aa458

SHA512
fe45c412621ed984325c863a4cc525bfefac4879d4a2b95a35f0379f9405e6e455dc495548832f991d2dee04734621a1a3c42fd0f33a11b00e9e087d3043310e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
df32c279970533f025bd125987fd75a8

SHA1
754e5ff4bcc9b3dd835023bf07c17d9711dfa4f3

SHA256
cbc045d814f4dbf4ed306af42ba76d896fabaeb6f91600699a2073cb9eea5c96

SHA512
4ccd8f6196af18b738e13e9249d89587a04a3eb92a6d5fbf6e121b002e07bbb14b5d99c66a5cc376d0b8ab08b4d7af1a1bba6854f15ff9557867c797b2f92868

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
c7db99762cd685d4c1cfef54b9286c30

SHA1
d45e261fcc6896eca1acb46c8d36db575b84fd47

SHA256
06d272a5c47c85dc16d8c44cc697e6d9cc73f2327672b2f533cc67150354e4a8

SHA512
d1c9255cc2b19bc0fe1ef63dc0c85078cccc7a04b57aa1624241abb4d60cde4233b9681762ab2fcc149109611f2ec35b2deccd6593f877bf8cc4a7239b6e064a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
446670f89cd3234fd8ed0d83f410d65c

SHA1
b0bc5dcf930ab6e613f950347bf3582aa3807d0b

SHA256
788170bccf78d362c023d8529e9a461a9a01508e54321201b5735e7ffe697e6d

SHA512
e777d28595a6b501926bed1c7d0e87d07e9f5dbf01a45bfb4bb8ac8699f4b80ff9b50b914792a8ef367c16d34e690db516ea7ee6be9d0a8faa0eabd7c012d9ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59a84c.TMP

Filesize
95KB

MD5
dad817169cf11b43c0794f6b09db7ccb

SHA1
5155e6f46ced2ab3318d0e1f91a84a858c3a2192

SHA256
1990bc5e854b98875970395d44377c046f5764eabbcd7b72d46e145806363539

SHA512
36eead42d9429a17bf0edb0ca2bf89da259be09a243f8a451bef0a0f769839c0464af0b12119fa48d886a281f0782c5839f504a41d8c93c0cb83a09a36ac8de8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a4a716f8-7c79-4c71-8b0b-42bda55b3d38.tmp

Filesize
150KB

MD5
05f8fcb720368539e0beea9edcd15d9b

SHA1
3709299bb0ccece64c50887441bc63e9477f008c

SHA256
c63eb4fc0e4e5054749448798a028cc38f8c553a4bb4075bd0f1e67fb29e4aaf

SHA512
06ff384ef707326b97b0d6bf8f3605bcc4469263002dc9d45393eb676d3e7f99da5394d6b3a69f6f3e58e9aae0a1485e284d46fb4297bd7ec0dd139b04054a47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
70ca7d422789f6f74712943cb60b6e60

SHA1
271801d5a14f09d347a408eef1e72f99fd2641e4

SHA256
bc383deab5151dc0699f2f7ade0cd94f0f7e43f8631b9922620faa33b594693c

SHA512
7abf8327bf1a4833ae69616d5dbce79fb0c99cd755437f99f311dcd7863901bf9f447fa8b362785341741c0e97631d5a7d35fc57eb5cb028c31de35d47ca27d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xcvesvvj.oqx.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Desktop\item gratis\citeste.txt

Filesize
96B

MD5
7215d92db273c68dc41168a1653e1686

SHA1
e2273a424b63f51143a22d9c64c98f36e7f001d9

SHA256
93059599066ee4245a2c1f5922baaa0ab4fe1d268865a2e51276e15626483068

SHA512
e805d448eac98b7afe0a91841f12f399e5850c6391578909246d98fa91140c09ebab37cde8788c41b29d54f8e5a09a9523863545bc066fa41a47781d68561a91

Download Submit
C:\Users\Admin\Desktop\item gratis\iphone gratuit.exe

Filesize
606KB

MD5
f526a8ea744a8c5051deefbf2c6010af

SHA1
d4f6241abe5f46e6b18f10da95d004924eac4ed3

SHA256
8bfa4c2c1065b105ec80a86f460e0e0221b39610109cc6cd4b441dd86e6b4aef

SHA512
abdf17b30f76a3763e015365b5ed5a900d4091e721968b58890fd27887b0617f44efcacb0cb2146e2933eea4640e99a8ef7fb30851e1eccbc1665666e15035ea

Download Submit
C:\Users\Admin\Downloads\8bfa4c2c1065b105ec80a86f460e0e0221b39610109cc6cd4b441dd86e6b4aef.7z

Filesize
224KB

MD5
b9be2e0265b8175b2393c7924b7d1ba3

SHA1
370ba659c1013e90764f79bc6f523cba781c7ff8

SHA256
dff0352bc2b71f4f07b658fbe397ea60885bdbf7c41975e559120f6c2addcfa6

SHA512
da4f755f840741e2f15ab9ea1499685ed06d435464136b397e204488ad15afcc477d0c4ffa63d827ddf5515389d13a3100f3cfed265f2266240674c07af8619f

Download Submit
\??\pipe\crashpad_1848_MLJKBZGXZAYQLTRN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3508-206-0x0000025FFA620000-0x0000025FFA642000-memory.dmp

Filesize
136KB

Download
memory/3508-209-0x0000025FFA7D0000-0x0000025FFA846000-memory.dmp

Filesize
472KB

Download
memory/4412-186-0x00007FFDAE9A0000-0x00007FFDAE9D4000-memory.dmp

Filesize
208KB

Download
memory/4412-188-0x00007FFD9B090000-0x00007FFD9C140000-memory.dmp

Filesize
16.7MB

Download
memory/4412-187-0x00007FFD9CF90000-0x00007FFD9D246000-memory.dmp

Filesize
2.7MB

Download
memory/4412-185-0x00007FF604F30000-0x00007FF605028000-memory.dmp

Filesize
992KB

Download