chaos | 0ef2768bdfaa0b953a5c498f18bbf2df5dce249eaf2044474c476c4367c535b5

Analysis

max time kernel
346s
max time network
345s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
12-08-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FridayBoycrazyV2.exe
Size

280KB
MD5

41e34a8240026b4e9cd8d81a73ee8b2c
SHA1

3876b12e152dd552a7059538242b6f87a23e60f5
SHA256

0ef2768bdfaa0b953a5c498f18bbf2df5dce249eaf2044474c476c4367c535b5
SHA512

a7d610ee4f116121757f47193bf092b639cf2d439dcfa364ea800c28c0f21996fd8baa31c9abe68d2c18cc8f334c57f9d71c4e444a04a27d3b9cab90eecbba73
SSDEEP

6144:1r93iyJ7/+WZT1kRnSeXSX9MNzxiMwP2OswK:iyJ7/+Wd1kRnFX4mNzxyeOswK

Score

10^/10

chaos credential_access defense_evasion discovery evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\Warning.txt

Ransom Note

Your files has been encrypted By FridayBoycrazy and you won't be able to decrypt them without our help What can I do to get my files back You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer The price for the software is $100 Dollars can be made in Venmo Or Robux only Please Contact Us At Gmail: [email protected] Discord Username: fridayboycrazy Payment information Venmo Amount: $100 Robux Payment Information: 10,000 Paid Ransom: https://www.roblox.com/game-pass/887175972 Paid Ransom: https://venmo.com/u/gratefulcode

Emails

[email protected]

URLs

https://www.roblox.com/game-pass/887175972

https://venmo.com/u/gratefulcode

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/564-1-0x0000000000FB0000-0x0000000000FFC000-memory.dmp	family_chaos
behavioral1/files/0x000400000002aa71-6.dat	family_chaos

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3536	bcdedit.exe
4948	bcdedit.exe
292	bcdedit.exe
2216	bcdedit.exe

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3416	wbadmin.exe
3320	wbadmin.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	FridayBoycrazy.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Warning.txt	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.lpvz	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FridayBoycrazy.url	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Warning.txt	Decrypter.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FridayBoycrazy.url	FridayBoycrazy.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FridayBoycrazy.url	FridayBoycrazy.exe

Executes dropped EXE 4 IoCs

pid	Process
3200	FridayBoycrazy.exe
4904	Decrypter.exe
124	FridayBoycrazyV2.exe
3120	FridayBoycrazy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Decrypter.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	FridayBoycrazy.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-242286936-336880687-2152680090-1000\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	FridayBoycrazy.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-242286936-336880687-2152680090-1000\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	FridayBoycrazy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	FridayBoycrazy.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\84u8xpdar.jpg"	FridayBoycrazy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d1cjf57ge.jpg"	Decrypter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w65pxks4u.jpg"	FridayBoycrazy.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Decrypter.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2520	vssadmin.exe
1016	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133678975116845892"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	FridayBoycrazy.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	FridayBoycrazy.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	chrome.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Decrypter.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Unlock_Files-decrypter.zip:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Roaming\FridayBoycrazy.exe\:Zone.Identifier:$DATA	FridayBoycrazyV2.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3728	NOTEPAD.EXE
3512	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3200	FridayBoycrazy.exe
3120	FridayBoycrazy.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
564	FridayBoycrazyV2.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
3200	FridayBoycrazy.exe
612	chrome.exe
612	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
2940	Decrypter.exe
2940	Decrypter.exe
2940	Decrypter.exe
2940	Decrypter.exe
2940	Decrypter.exe
2940	Decrypter.exe
2940	Decrypter.exe
2940	Decrypter.exe
2940	Decrypter.exe
2940	Decrypter.exe
2940	Decrypter.exe
2940	Decrypter.exe
2940	Decrypter.exe
2940	Decrypter.exe
2940	Decrypter.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	564	FridayBoycrazyV2.exe
Token: SeDebugPrivilege	3200	FridayBoycrazy.exe
Token: SeBackupPrivilege	4472	vssvc.exe
Token: SeRestorePrivilege	4472	vssvc.exe
Token: SeAuditPrivilege	4472	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2600	WMIC.exe
Token: SeSecurityPrivilege	2600	WMIC.exe
Token: SeTakeOwnershipPrivilege	2600	WMIC.exe
Token: SeLoadDriverPrivilege	2600	WMIC.exe
Token: SeSystemProfilePrivilege	2600	WMIC.exe
Token: SeSystemtimePrivilege	2600	WMIC.exe
Token: SeProfSingleProcessPrivilege	2600	WMIC.exe
Token: SeIncBasePriorityPrivilege	2600	WMIC.exe
Token: SeCreatePagefilePrivilege	2600	WMIC.exe
Token: SeBackupPrivilege	2600	WMIC.exe
Token: SeRestorePrivilege	2600	WMIC.exe
Token: SeShutdownPrivilege	2600	WMIC.exe
Token: SeDebugPrivilege	2600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2600	WMIC.exe
Token: SeRemoteShutdownPrivilege	2600	WMIC.exe
Token: SeUndockPrivilege	2600	WMIC.exe
Token: SeManageVolumePrivilege	2600	WMIC.exe
Token: 33	2600	WMIC.exe
Token: 34	2600	WMIC.exe
Token: 35	2600	WMIC.exe
Token: 36	2600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2600	WMIC.exe
Token: SeSecurityPrivilege	2600	WMIC.exe
Token: SeTakeOwnershipPrivilege	2600	WMIC.exe
Token: SeLoadDriverPrivilege	2600	WMIC.exe
Token: SeSystemProfilePrivilege	2600	WMIC.exe
Token: SeSystemtimePrivilege	2600	WMIC.exe
Token: SeProfSingleProcessPrivilege	2600	WMIC.exe
Token: SeIncBasePriorityPrivilege	2600	WMIC.exe
Token: SeCreatePagefilePrivilege	2600	WMIC.exe
Token: SeBackupPrivilege	2600	WMIC.exe
Token: SeRestorePrivilege	2600	WMIC.exe
Token: SeShutdownPrivilege	2600	WMIC.exe
Token: SeDebugPrivilege	2600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2600	WMIC.exe
Token: SeRemoteShutdownPrivilege	2600	WMIC.exe
Token: SeUndockPrivilege	2600	WMIC.exe
Token: SeManageVolumePrivilege	2600	WMIC.exe
Token: 33	2600	WMIC.exe
Token: 34	2600	WMIC.exe
Token: 35	2600	WMIC.exe
Token: 36	2600	WMIC.exe
Token: SeBackupPrivilege	2224	wbengine.exe
Token: SeRestorePrivilege	2224	wbengine.exe
Token: SeSecurityPrivilege	2224	wbengine.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe
Token: SeShutdownPrivilege	612	chrome.exe
Token: SeCreatePagefilePrivilege	612	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3960	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 3200	564	FridayBoycrazyV2.exe	83
PID 564 wrote to memory of 3200	564	FridayBoycrazyV2.exe	83
PID 3200 wrote to memory of 3060	3200	FridayBoycrazy.exe	85
PID 3200 wrote to memory of 3060	3200	FridayBoycrazy.exe	85
PID 3060 wrote to memory of 2520	3060	cmd.exe	87
PID 3060 wrote to memory of 2520	3060	cmd.exe	87
PID 3060 wrote to memory of 2600	3060	cmd.exe	90
PID 3060 wrote to memory of 2600	3060	cmd.exe	90
PID 3200 wrote to memory of 1940	3200	FridayBoycrazy.exe	92
PID 3200 wrote to memory of 1940	3200	FridayBoycrazy.exe	92
PID 1940 wrote to memory of 3536	1940	cmd.exe	94
PID 1940 wrote to memory of 3536	1940	cmd.exe	94
PID 1940 wrote to memory of 4948	1940	cmd.exe	95
PID 1940 wrote to memory of 4948	1940	cmd.exe	95
PID 3200 wrote to memory of 2748	3200	FridayBoycrazy.exe	96
PID 3200 wrote to memory of 2748	3200	FridayBoycrazy.exe	96
PID 2748 wrote to memory of 3416	2748	cmd.exe	98
PID 2748 wrote to memory of 3416	2748	cmd.exe	98
PID 3200 wrote to memory of 3728	3200	FridayBoycrazy.exe	102
PID 3200 wrote to memory of 3728	3200	FridayBoycrazy.exe	102
PID 612 wrote to memory of 2352	612	chrome.exe	108
PID 612 wrote to memory of 2352	612	chrome.exe	108
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 4340	612	chrome.exe	109
PID 612 wrote to memory of 3640	612	chrome.exe	110
PID 612 wrote to memory of 3640	612	chrome.exe	110
PID 612 wrote to memory of 2520	612	chrome.exe	111
PID 612 wrote to memory of 2520	612	chrome.exe	111
PID 612 wrote to memory of 2520	612	chrome.exe	111
PID 612 wrote to memory of 2520	612	chrome.exe	111
PID 612 wrote to memory of 2520	612	chrome.exe	111
PID 612 wrote to memory of 2520	612	chrome.exe	111
PID 612 wrote to memory of 2520	612	chrome.exe	111
PID 612 wrote to memory of 2520	612	chrome.exe	111
PID 612 wrote to memory of 2520	612	chrome.exe	111
PID 612 wrote to memory of 2520	612	chrome.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FridayBoycrazyV2.exe
"C:\Users\Admin\AppData\Local\Temp\FridayBoycrazyV2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Roaming\FridayBoycrazy.exe
  "C:\Users\Admin\AppData\Roaming\FridayBoycrazy.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2600
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3536
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4948
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:3416
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Warning.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3040

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef534cc40,0x7ffef534cc4c,0x7ffef534cc58
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3008,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2804,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3556,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5076,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4336,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4572,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4548,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5596,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5580,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5984,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5760,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3380
- C:\Users\Admin\Downloads\Decrypter.exe
  "C:\Users\Admin\Downloads\Decrypter.exe"
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5680,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4992,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6120,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6180,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6320,i,16559369306012288509,7391544437735326136,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6388 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5084

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2060

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004C8
1⤵
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffef534cc40,0x7ffef534cc4c,0x7ffef534cc58
  2⤵
  PID:3548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3968

C:\Users\Admin\Downloads\Unlock_Files-decrypter\Unlock_Files-decrypter\Decrypter.exe
"C:\Users\Admin\Downloads\Unlock_Files-decrypter\Unlock_Files-decrypter\Decrypter.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
PID:2940

C:\Users\Admin\Downloads\Unlock_Files-decrypter\Unlock_Files-decrypter\FridayBoycrazyV2.exe
"C:\Users\Admin\Downloads\Unlock_Files-decrypter\Unlock_Files-decrypter\FridayBoycrazyV2.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
PID:124
- C:\Users\Admin\AppData\Roaming\FridayBoycrazy.exe
  "C:\Users\Admin\AppData\Roaming\FridayBoycrazy.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  PID:3120
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    PID:1924
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1016
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:4508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1928
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:292
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2216
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:2432
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:3320
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Warning.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
719b5a19c4d86a1f1c8a69b0c3ca1a86

SHA1
8d10a71dd51e5982dad6ead4c44d8e9de2bbab9a

SHA256
9d760ffb787d9e03cc6528d9d501ee0eb380cadbb1483215c9f9336739ee841d

SHA512
30a2bf66eefcf8843aac4d0647d4acae8c530671798d1c88737d91be40b9fd8667c335cb3a105f7135b5ff016da435e7aaf27c7843acfb7689f328cf2afcd5db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
919c91674b47a5521a7a424f7d64519a

SHA1
fcfcb06adc621f61aff0170ede66fefcbc0e1b7f

SHA256
06417fe188c7bdae2ace433935bad052ff67eabeaf7b2a7b1412e9f748c2dd6b

SHA512
900ffd2584f0e85e3ee8bf43262ed79f45d8627ae332f95db59cdefd95dd0bf85a450573de25e027e744543de3edafafaf783237038a48e06bbf71aa5a498f09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00007d

Filesize
21KB

MD5
b1dfa46eee24480e9211c9ef246bbb93

SHA1
80437c519fac962873a5768f958c1c350766da15

SHA256
fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

SHA512
44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00007e

Filesize
36KB

MD5
f90ac636cd679507433ab8e543c25de5

SHA1
3a8fe361c68f13c01b09453b8b359722df659b84

SHA256
5b4c63b2790a8f63c12368f11215a4ffec30c142371a819a81180a32baeb2bce

SHA512
7641a3610ad6516c9ecd0d5f4e5fa1893c7c60ca3ba8ae2e1b3b0cc3a72f7f9bef4c776a1f2fc52f366bd28a419ae3594a6576e886e79a20ebd98b55b2acc967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
57317baf0b9bd5553fbf3a851d85f9dd

SHA1
ef815cf8593e906feca097ad24453e4f7c68d7d0

SHA256
4eb30f63fbbb27e0441c38ea241d564f0ba7c507f849fcaccdb4d655a287d596

SHA512
fa1509fdd8548d9add551f615888991ef727d3da969c465a1138449662d3ce095d03f0f69b72299a28cf3b6c4d5b228d5c97a1e07210a4aa05689c869650c10d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
950288666761bc27f22fe33d74513d6b

SHA1
b0bb7b64541a65c61a1a580522b7cd9e122f5acb

SHA256
2044c70015e1d27321e84b85b96d055ffb293895b1accc631fb4812b2a89d546

SHA512
3476747ee202f6d78a1eac75cf503488f3846650533c38c4e74bfe7feb2a176d1dd2229f0bd7d0d79ce2b94e0c058582b76aee57d8c775f758723cd408956325

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
333B

MD5
5764044e162f980c98bc73b3e4e846c0

SHA1
1854511d017faadbbb6d3565dffd7cc835c3b1d6

SHA256
c5230d74368fbbc356c942878a5634057203b8e8698ce1a8b47c7e0f09523aa3

SHA512
7e3051846c0baef08e3fa5bda1c2aad2257a9f52e2bbf00ea755e60cf22fd9fb4a1beae92491d60803e5ea5f19c0ba85129588e2335f32e46604acdcb121c148

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a5fb2f542d11319d3a47efbd7d2fac6c

SHA1
1a3dd2abef3e49251981f276c2fcfe0316c55aa9

SHA256
035359e926fa524cdb5a97159c47c97319b88b1bffcb89a6de76bc6fe06af4c7

SHA512
d92bbdb4e300f824cc0a018cc9264678c63aacc67bd68ca412e342b0fa9f4ea6031eb59f85266a0526eab5d5521e120f6eaa8ace0a03727e7483fd73fae89b27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8c2083f03e69c6eef99eb54b8102c8f0

SHA1
7235611cfeb7507de65f35306f54587d5c546ed6

SHA256
64b85d695ce56b8d7e20ca81461007f46f6c5d457472962514c5dfafc6b9787c

SHA512
34d485db1240b8cfb85d567580085cc4fbf99900ee6e81dc96b2cd1868da37d697b5624918953af1db47b42c97287222137516da91d46f3fd887159ee6a83ba3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7c0d569fadb4ef66a1b6ee51942ec7c0

SHA1
8deee3659617b847c2829ed7ec0da27e329953e6

SHA256
82a83fc9f74cbe68d461cad531a978ff4939504658b2060c0ea46bb835c2d475

SHA512
03c2ff609678cbbd79e53357560f39fdb2f08d447e47ee6249b3b445530da89f9872175084d910c5e02506806de7305d7fd5b2b90ff9f67235225cd36d31cc9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
dca4b837c4f357b64d5a52c49a309f3a

SHA1
792c56d95a7b24d2a34e477f4800fcb673db92dd

SHA256
2a91c3ea54e87b9c0715eab0502e19019ee946ed01a7da822ef2d150328b6df6

SHA512
5e6638847934a9feeb96b0bb89cba3b67c779871a956903bd1bf5cfaa8a9cbc539a90c81de695eaef521641634bc646ec286100d003e77d549b2a6a44976a515

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
b34fac8aacebce82974cd808f0ea556b

SHA1
0bc852769d1f585d7eac69ae18e34a8274539eab

SHA256
03af9344aaf74bcd880f3f7f87a990a248f8752a980340f8fee87ded98f90370

SHA512
7ffdaf83225e693ecad4c1042f429ce402e97ed03d50545cb999ab28d1c2e6c1c3fb48e11dcb68934841524b9f55f46e185570a26f1d6893238ab6f18710473e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
a64cd6d9693f4f4155ba16f2308b87d5

SHA1
c8da523fdefaec50f9dd2b7e3577fd3992e4aef0

SHA256
e44218923bb297e57d74759fbfe9fd9460f415b2afe280d459bc39b460e59dac

SHA512
2c2fa80c50b7951e0f9295c7eb5a7559aded5b81773f10aa5fd95e2aa22cc04b5218932f98c09cfab40601186b94c212276bcc388af329691f88c0037bb4043c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8860d38aa812a25b63c88f0e1c55844e

SHA1
184625e606e403dea1f4ddfbb4db04bc58e3e4a9

SHA256
bfd8d1f601878e8e43998fd3bbd7b7feda55ac1e484810595750eadce02ddd82

SHA512
6b1716945aea33c5aeac82a4b0bd703dabecdbeb0b8e01a8ad711330faed70b9c50a889fe85be507ce71b31bec8956ea2076d51ef179af1314738435669c3117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
12adf3501891951300f7bedad7b4ad02

SHA1
af1a3598fbf3eea71f30cf1592108ed6fc8e4d18

SHA256
288109caba053ed2a568ab4d7d7f48c1c755dce4f210ca5f1fb1a13a4dd5b16d

SHA512
01e50c6bb624c535bdc00f168b966c97b695001e3598e5e294dfa58ca369a5e635aedd249a36bfb6c45949f93fc8352fec6fe112e5aa1b4c04bb950ced6227ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
49f3ad34662384117b1aaa98c792080d

SHA1
af6a2685b4178485ae44d483b6526a063475fbdf

SHA256
8bcf4cdad663ce535f0e1870a3ea2c14ee05bdf2d2bc9027bb45147a41eee8e6

SHA512
3eb6c1c68d86d9fc583447434e70d563073064ed9af2f8f3b3afdf70b04f9446edae14df325046e8e73a3cfa8ed8b6baeba15c350aac1fa69614c368e9f34cc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fe689ac190f28667cadd16400f12b99d

SHA1
82ca21e0ae9edd9ed7508a7c71c4acaf0354d324

SHA256
c5f45c41452c520cdaf14576995d5482c3d658c4af142fd1ea18b014c61f20bf

SHA512
ce0fcde46a2a9e98210efc2a2a667cad78c4404b53dbe6bf7e3ef1aa8c10d9e11cec98901c866cce688a85160cc4463a60555387b7588c228ecb654e850b7f16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
77eabcebb20d9897ab1a8442c721ab1a

SHA1
92610f52c80af320a5db2e9a00588c85fdc4f3e2

SHA256
464f60cb70ac5945954dfae28204a6c94080fe8a4581e606ccea9321dee84520

SHA512
f1fee9b174fb2c976d3128e171325aa8c6fffe314dd672211e508545e1a533a47cd2390e120f23adfbed416865f251c9da8fd1763a7f78e6897a2bbca79550f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
79858db802dfb1e319402a65280c08e7

SHA1
b1469832c69d90f27788e7b52676163d9293e3f5

SHA256
140eb34135b23b7c061f01892704d9ff877b89cc05de9076a428a2a034ecf84b

SHA512
d3b3cc7cabf82ec15a7f48cc08357d9aa4b5d2d8d6f1016c3c4142a7a14b6189f90261e58458f27bd7804ed10afbd9819609e28c5668fb5c24cd4dbf23537b89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
15402053c879e24dfe87980fac93b5de

SHA1
26a5c708efc2729097c2e334ca21c092e33f034f

SHA256
92e1a835476a98d8dbc574342a97c92e16a39b64ba70ad498aea85381b1ae56c

SHA512
6662ca3bbcc9bff92a17707db374b17f13058b496ee44dbf619c2edab4b3d899790becf3ab042fe52ae469350d090aac34db86c8d6b782746d0af78e96147b5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b47063c8781d4df3b6a9c7e455c3ee3b

SHA1
8314b3d624078d9b082bc112d7bfb41b5445f83a

SHA256
207422bfd28c9e61c684905e4d5adca59619a1a75c1693e363e0fac1c1614b8d

SHA512
5496fb76fabfc4ec28474bc25da21dcd0ef93d1446879577bd19459ebe82e60113872b7f3798dd28cc717e33493a762134ca9d3f2dcadf674e38a498820b4dc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
329413fbc2a4ea99409ecec060401dbf

SHA1
ba6f402e31d875c60de214ac53ef0eb640d47476

SHA256
042236295f314b2d82a52763a94a1b7f066359a589d87593ba3e5eae22415327

SHA512
b2f40da8c5224ae427aa78e583e1676624ab416e2bd848861f6fd2f80c892c31f74854547d23c93e4900ef31c323d06a69cd712f48a5ff671d0426299b99b701

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
72428bd54f056f52096f812ad0412fb6

SHA1
c54cec90c845ad3dbdfa39a02e4bc7d755610e07

SHA256
03dac1c9eb148cb9c77b36c4392fdefd6129f1265d3869e8829ed489eeccc665

SHA512
f7c4759fabeaf3b7c3d11f85812a4800759af3966238b3498bab26973a9b180cc2476d2a6b863cba1409f72be9b189614409030439e7bd2521db144d08be4b17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8265769c6c1a4e1eb7add5c8b2fb359a

SHA1
260fecb268ada1ef56c1eec0eaeb9bd1e653148c

SHA256
8cdfad82f28b97746308a7e19f7c16f1065bc1f30df782e0ed869eb5f5239cdf

SHA512
5ce579281667a77a55c611afa15300de2d0de121d1093d2557c5f2b1cb200ffaeb9b33ad0394c974c03d9ed93ef6be47583bf03f886c52c3318cc4d4480f37b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1514679cc3035aa6775315c9f5c0c79f

SHA1
8f94ccb10100db0fa4258676a6822ae8c77fa3a4

SHA256
b18100079f5f5381da879d8abc087163deff3444adf967c523148b922e023a1c

SHA512
26845c958224b60bdd73a206f69670363cc7588dd3d1604401b7d0d990befdba13b6873ab5e955cce0109e9352f72d8857f4e3ac7958f29618d9a78402a6e94c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4823e05ce9c1dea9ee9907e1e4ac3e22

SHA1
5d33015e76859f6ab315362c5dd3a91f606fcb52

SHA256
acc816563926216d02235d1760b7dc6834c9b2b50385deaa31d9a5936ef03b62

SHA512
1779eeda0d7c72b00136141a7efc51481cbe353885acd1b16a65b7eb8a3efb8097ed17ccd887081df6e9e3fc9dc15ef7cff616684ae3acc64a4c056b6670091b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b5d4c28bb77ebea21f5ea4685df7bf3b

SHA1
e7e968c93b95df1216b15e0de305767d5a11078d

SHA256
891e168dbf97ac0a77627587d4efa0d113e7233d4e64a673afa1c56713e9a437

SHA512
ed66d38a813e8fd00fdade7d58d045d850e50051c0adb217c5183b93991389c24defac2ba573533d9fc2050282b820170fb0a7e20915266175a3274449aec287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ca817cb5f6b4f9e5ec90b94f689e5476

SHA1
b3552b07abf73b33bbe89eadcdd43df12c026678

SHA256
5a6511162a99187ba83c9cdd9ea641d8b40cc305dceb185fae84e0fc3bee3d65

SHA512
5489a56ab00f4a7ceae790846173b2fe2dee2f5d91e55c32e80ca4d93aa57287ffdbda46596a584aee86237b3831b4425eca17eb4256257bef8a89da28db82cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bb1fa241af83f51d25a228e276f6abe8

SHA1
d2a6d16c4af6b7e927e9c95557fc696dbad6f445

SHA256
c8eaa81b42cb04e2607b0feac9c55f00d408f006bbbf5d99becf1fdf22acab20

SHA512
8beb1cc9982670a0c70ee30ad5cd6439f6f54f3be32942b15f86bee3b3c1472eb82df316edc11a81da3d7808cb8295873ad32a8ee812edc9999cd4ae49ec08d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8d6b4519c19db793afaa4913025e9c43

SHA1
0fdefa1fc91ad952b530f6ef7e94f6173fc78757

SHA256
9e83bdeb4d25aafc31216e6c3098b8ef429585e5aa6307008f3fc3e5e0435612

SHA512
3a51e5f2cd6f054911031bddefcf5a24e51ccfec464029ef47b6257efae17c54a8ffc1279210e3e0098141242a48b6d04225ffadaaf6a6784e5c492e0f040489

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
519f06dfefca7bdfe795a4ec41effd54

SHA1
56e22ab4770f2192002f442bc0431ac42bb6b12b

SHA256
c4c7d9e1f8ee6009476ebef9b8e449caf3eda552b8d87d3f67bc596e3d60029d

SHA512
7015ec6ab481e735da6109119bb576241198cb735d4341bac711665bfdeed937cf3bbfe0d34f17997dbc7d64828ebec662b628831e12b7be714d394ad6021806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
92cc26df85d19a1bf0ca31e2aad7ac02

SHA1
e501de68bbe586e925273704f43c403e4f7d6986

SHA256
8f42b405978ac9f290a10df875970f3063a87054f6adb4f36bc0a916915a54cb

SHA512
a4e58222a4a176a55109083fba9fba4459d3f60267f0884430191c0ab79fa511ca9f647c06c86f32177b190b6f25c381f659f8dfc384b973fc212d26d301aa9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
672fef82690be28dea37ac3f3139f0c9

SHA1
c158fac4a5075fd0033b78514522442d80bba191

SHA256
486319ad446f92febd668562b0e663822236d3a11fe73a07f9c89f9df320faf0

SHA512
b665cf340fbcc380d73b1471d049f414175c70e62c2a1253e6d4240257b485e22935357c11d4a5e4bc8171ece14005ac873fe36c4a51ee14c00256be1d9d8b54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
e3b7ac31bb76555488999c8f06796f69

SHA1
35a5ef9913774d69a157a8993decdb0d4a969638

SHA256
4d19e96e425c8badfa4251ca013fa178955e174147494db7885d263ef9a24c9e

SHA512
6a0fc2f32f1cd5c221b4cfbaa879af28f1aa44c5466b55ce9a8cf8881583eb07c5b73f3a18f50bab0ac2c15df882b1c206653c24f57ee1bd276df82759aed462

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
4873275c7896ee2fe3c19419ddf5a57a

SHA1
d236c911670ef0a0f39df8f9b748c3c3236b7b89

SHA256
098547090eb88a425ac2f56c189a401f316b2531b7df9dceb63ca14680d38e7b

SHA512
12e3585d944b299e15791c721059304aa4915ae2ec3fd3bbcb49e9b01a1628f30487306f4e5cc81ae39bc62a41a0cffc9fc024dac29363c9107da6faa89e676a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
e924762f35cbf200b5758b1ab87e802d

SHA1
4e5172e4e5c1c98a5e4849b4fd2dddd0ca93e66b

SHA256
204aadc8ca80e2bc80111f33b2ae4b0ae3819d952355c54dddc6b5fd00f5c50b

SHA512
0f02fe4fb42acdd4b2ccc34874a478da18b4bd0fb195a564cd9000694255ee0e69af6faf5d65665bb5658c9af033ff6f2bbd4a8f084b8a95b3f83464d2449bfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
2c875d87d49eac0b8b42ff30fed1e9ff

SHA1
d28e6ecd1b195dc00df11e212866a47c3aa9749e

SHA256
158fd818785674ae2eed39a03f974caed031a079cb7ed0329879e5451d633a45

SHA512
4d6a8c9fe07bc96c2eacd2a44b3c52bfbfd89a383aef1248e846b13ccda3121ce07d3cbbd700a1935b6d48d32c242665a505ed7f337316ef5214a9838311b280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Decrypter.exe.log

Filesize
226B

MD5
4ae344179932dc8e2c6fe2079f9753ef

SHA1
60eacc624412b1f34809780769e3b212f138ea9c

SHA256
3063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4

SHA512
fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19

Download Submit
C:\Users\Admin\AppData\Roaming\FridayBoycrazy.exe

Filesize
280KB

MD5
41e34a8240026b4e9cd8d81a73ee8b2c

SHA1
3876b12e152dd552a7059538242b6f87a23e60f5

SHA256
0ef2768bdfaa0b953a5c498f18bbf2df5dce249eaf2044474c476c4367c535b5

SHA512
a7d610ee4f116121757f47193bf092b639cf2d439dcfa364ea800c28c0f21996fd8baa31c9abe68d2c18cc8f334c57f9d71c4e444a04a27d3b9cab90eecbba73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Contacts\desktop.ini.oyko

Filesize
412B

MD5
449f2e76e519890a212814d96ce67d64

SHA1
a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd

SHA256
48a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7

SHA512
c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738

Download Submit
C:\Users\Admin\Desktop\ApproveCopy.rar.0ek4

Filesize
1.4MB

MD5
1ad5d881b1f0e0f7bf4aa200de4a2d5d

SHA1
34a4fc3222816f10f9c7428b67bc59ce48bc27ab

SHA256
18169bea20f052efda04de6935122d1c37e8728be2054228fcda85c264ffc839

SHA512
868cba3239fa9857c244f894ca21246d7cdb807465f31eebd9874eb96ffe2b329c48053fbe972635815f963a1f7638dfa15c4f1559281a6871d630ebe9921625

Download Submit
C:\Users\Admin\Desktop\CompressJoin.ico.cgt4

Filesize
928KB

MD5
3c3ce453aacf5033ee9169f97baa3263

SHA1
41655df3359428a00c4499b46b124818c1fe3fee

SHA256
2d0052cdaadb7447ed85756c46cf0c65737c7d6cc99657fea5c5d5f513003837

SHA512
5934bdedd33618aa372a8278f3f0ee6ebb74a05a96ca6eaab55960edb1669b97009f48b2e54a9435d68fd3983bb80e6187bda3efca588d03bfb07772b6ea3989

Download Submit
C:\Users\Admin\Desktop\ConfirmNew.ini.9io2

Filesize
655KB

MD5
e33e48b77bf45bd082e355e30badb290

SHA1
80e07e56ff5473e072e6693b4d9d6c78a4af40be

SHA256
7af3d37466baad9f0cdadb4b4cfbbfc5023e110f2864cf9371392e9e3e7ee05d

SHA512
f101bb0946b3908399da6484884e4fbf0cabeff78394eb2204a322a307067a50b6df8d131068898a51480eb23189cead9be302c8b9cf00990599890b9bfe7425

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk.dlew

Filesize
3KB

MD5
8be7e0d90c696457c3b7ba0ac7c1faba

SHA1
f0941303afeea828f15389f3df08d4170340f846

SHA256
bb606e27cebc13e73d965cbff1b6bf017505f1ec1951c2542d496db561f1166e

SHA512
849b44fc43ca0f9fb1063807bba74b107a82277e3da33925979f868ac10514f14f33695e762505318b445b25b507ed6a2bdb9a6f19bba1dc0936c1a96f08fa59

Download Submit
C:\Users\Admin\Desktop\ProtectAssert.odt.sag9

Filesize
1.5MB

MD5
f83f8a77ab77068887568a8a740aeb81

SHA1
350f21ca5ed8a7acb327cd408f0ab1af667fa32b

SHA256
e48fa95358b10c5e24a7b154b65f274a8c43680347c9e2d233b0bac0f52aad51

SHA512
6e3032a94593c390795937aee4c0235566978e2dffaa7654805817cf6f75b7eae382391f6c312ccaeb65ca64881b5a51dc8e6b36d0307c280383116d8274cc63

Download Submit
C:\Users\Admin\Desktop\ProtectComplete.mov.f725

Filesize
874KB

MD5
64db7635cf5c43d946dc7859dba597aa

SHA1
625d9a55bd9f0825550c7c6f04856a3c649fb0ee

SHA256
471d2fc64675bc8854a2b64bd9c12c29f52de5ee25683fe90823fd5295008bec

SHA512
5258d889078707b08dd4306d3abee193123c8061066aa536920ec01e649f9eb07466c3e17ea4453d30e952d175eb775227cb7280e7b4c6fbd4a9fcc49a69fa5f

Download Submit
C:\Users\Admin\Desktop\PushRemove.xlsb.uvt4

Filesize
983KB

MD5
c3a66fcd95f62b7dc7b6c33e2d9dc7ed

SHA1
3aec8072065f437b50960e25a49b2ae3388b722c

SHA256
02f755f430ad81e5fb5368ffd9853ff548e0780cfa8ad9e2b5e64b36843ba630

SHA512
ada623f211cdaf251369c07c4a981bae9a41b64a97db62eeca445e84ad6741165c86134fee958a039522199cfe5fc0af8a1e046d03d18b674e0104207e7a2269

Download Submit
C:\Users\Admin\Desktop\RepairPing.dll.r70d

Filesize
1.3MB

MD5
e44c8e4cc81595a56863431b54224a7e

SHA1
31b3f9f2e62c6c480e1f9f50b8dd6217a8db09d3

SHA256
bd82bcdb915849faec7fa12c2a843ca9b462220ab779c8c60371ed027bc76b05

SHA512
55132fe8a2658adab5e88f7de1505d57d4003e6c4b941169c7efd5dbf0ea5bbd1c76fc4eb9cda632dd9e6c47444952755c9b4204f7cda14baeb18e3e48fe83b5

Download Submit
C:\Users\Admin\Desktop\RepairSet.csv.dfwz

Filesize
1.0MB

MD5
ef0ad3d9a911352fc3798ee35dca9479

SHA1
62194aa0f2635fd5f50e16eac3b591059f8a3343

SHA256
5f4ea64747ebfd8536a2b90051365cd565be0881a18ec7b0db10929628640199

SHA512
fa5283790b7bc3e2691befe7f58d1ef95ac6e39edbc6dfb73066b33f7b8d721193058aa68f9aa6fb84eb02d309cdc506331cf8fe751b4517a9a3f1264b265ad2

Download Submit
C:\Users\Admin\Desktop\SubmitProtect.contact.ifkt

Filesize
1.1MB

MD5
82bde28be1563e7371dffa6d2828bc5c

SHA1
c9527bb47f022cdde17c36e40cdf453f61636e28

SHA256
3e384ce5315b8ef447758f5d8cc8baee77dde2ee337da1ecd74e2d15a3fe1038

SHA512
db275dd48506b2f3010ab574cca760c24505aa37e0c7e27c13916c10057d1c933b74524a8a72add2ba0f97a944fc3364923e5a261648d44ca06ba5d2aa288846

Download Submit
C:\Users\Admin\Desktop\UnlockExit.xlsx.law4

Filesize
17KB

MD5
3d386e922111b2ff47367bb7ed270b1d

SHA1
79cf788e634ce8e2b0e0b4fd20c943b394a61b00

SHA256
417bcb72f8a396a8f6248a821c7cf0f305f85d122dcb6c0f94cf81d558e5c6d1

SHA512
545854fbbd200729821913e0365958461d95e84390d3e980e9325af214b8a4d3bb6deb9f166e8d47dd7a4864cfef1614b5db6b7c86e7f7573c88580f653e58eb

Download Submit
C:\Users\Admin\Desktop\desktop.ini.av28

Filesize
584B

MD5
1f24eac3455a81011576ed608260f502

SHA1
1e95992cce4d1c3f17fa42599fd5c9830cd71592

SHA256
3e26179fe09fa557d7b867ac0b0cb5a1b336d91062c58f000c60f66d090abe2d

SHA512
c4fdf387cd1bd19817fa31932a46c644e025d71c998bfa6f10319cdac1299cf7efb31f6b78b4160f2eac049274d515e3251475d0b207922a3e441d71843ef47f

Download Submit
C:\Users\Admin\Documents\BlockInstall.pps.zukc

Filesize
2.1MB

MD5
c90abcb74e81ea2ab684695ae865ad4b

SHA1
0d3f20574aef9d383422da35f5c9ae3fc44e58f8

SHA256
b1c3cadb1dd32eb625d4e5035f71b4dafefe9776222b6cfd5c56fdee58718820

SHA512
e0f0c33afa4419087f146d8a4b127494118a2a2a1678f880307c2c9e5fda6b6e5bab8b59187542443a72b087e7de8d209c01263f9393de3aa47f61a2aeacda06

Download Submit
C:\Users\Admin\Documents\CloseSkip.potx.4y48

Filesize
2.5MB

MD5
08786e2afb2cce1ff8350d791e7b5c8b

SHA1
db1f3b46760022dc9984b5c2902167d5d944697a

SHA256
e903e9b8db544ba29998d7fd48b838e6756a820a6bd5dce6ec9b0cde2d086a04

SHA512
a3a242f4a1861119f286a3eef1628b5c708d60f3a713bb62170c56a839675f680bc9a6637c28630465fe77c3a3f60f621fe09b2c3b56d546f247d6cadde896e5

Download Submit
C:\Users\Admin\Documents\CompleteUndo.xps.zpom

Filesize
1.4MB

MD5
714615a1889b7ba3cb2e2d11c5ddec9d

SHA1
675f6a095b0f2149ed4155dd7770935e3b1072e7

SHA256
7ebd4fcd962336a371f29b62408d17e98f63c5d781092dc99760945d4720f833

SHA512
969f996b73ca895f6b8a67b836dbc47de3c0d5dfe5bfcfeb54fef3e8c35e496d727c36da7f03b6229f527b13f09440c5a24f4e99fd1383c03bc6f99e076bd830

Download Submit
C:\Users\Admin\Documents\EditRestore.docx.l78f

Filesize
18KB

MD5
d8b5bfc1bd6baceb67d09c567794d779

SHA1
e6608c4e31d85978ef9e3e9394dac11a3274d103

SHA256
8947d6ea8ec209b3dc609316286d3d6f7733f1a9f595c37802a41c73ae799a91

SHA512
2f5eabf8da2a5b7471f56cb4097f7c1f019333947450efe229e12ba9bee77dbc222d2799353c31c60b589fff0c7bea81c1857d522c22bd37c9232ce21d00a0b9

Download Submit
C:\Users\Admin\Documents\ExitEdit.mhtml.25u0

Filesize
976KB

MD5
79082a954ee23d1ff85894b40d2156d2

SHA1
dfbb2631badc1cbb678900bebf32f9ac50a6b649

SHA256
d3520bc4f2675702e117061858937c17b1287c2735d28d00b9c5e684b2ab715c

SHA512
0978b1f1c87758602e8dac070a0612680c02683fb1b5845ab0fa356ada617623dc6eb809a43855a08195d02eea96f56a36533c9bb392f32882b921ff58f50548

Download Submit
C:\Users\Admin\Documents\InvokeNew.pot.337p

Filesize
1.4MB

MD5
fb8dd08422c0504ebb18427c1d88bd12

SHA1
fe529ea08b13830b7328cdd693cbddbc2f1ba4ce

SHA256
bdde638a72145d3a3dd151a9ed1f445c4ee02ee6cbc2755a2fac9882d1dd48b1

SHA512
aa726525cc5d46830623f03f8d2097dbb9385a55fe85f021c1fdc17e0a88bc35e39760ed7a81270c7b9150a73438ec4b3901ccf9fdce74cafdbbdce005fbedf7

Download Submit
C:\Users\Admin\Documents\LimitPublish.ppsm.2w7w

Filesize
2.0MB

MD5
fe32a85934de9ea0557b2b42310cfa67

SHA1
5922aaea4ec2d90f7fb80b4e8f01bbc4a93f6f6b

SHA256
c57ac61a1562d18b4e815ff0e3d3e3478aea00772e2470b95635ef0ff254436c

SHA512
a8370a5a2ab5876ef45fb18e94d6aa42e60f74c7754247897c9f82d7dbef941cabf981e726b6faaaf3e64fdf5145c5ef70c0e2fdeb3021df0172726f8c569c79

Download Submit
C:\Users\Admin\Documents\OpenUninstall.xltm.sja0

Filesize
873KB

MD5
bf9c1eb1dac55dd052cb42d8a4d27019

SHA1
ae3b1bdbad4fa380b445175d7bfaf628bd8a300a

SHA256
b83df8ca8b6626f81240d6c183dcd65055b5fa3507cbd234dc6df1d8c518d5bf

SHA512
dbc0a4bc346b3d186755f1cf845234ded0323d8295202f2ec8aedcdaacd0c6b0f117108294ea4288d7975dffe8fe06196d28f0314219b0e5b51974cd6bfc7b11

Download Submit
C:\Users\Admin\Documents\PopConvert.xltm.ykki

Filesize
1.4MB

MD5
06c2822ca43d82737a7a0db67951fa36

SHA1
fb951d2c87519ee972ba54ab0a98bbff87db5d73

SHA256
f27784374b1649d15aa42054b56e9c7d4f4b4d06be9626c1e6506b270f6c47a2

SHA512
2efce89c7c13d1d34c4f817712c84db4d0ef20c5de3238fb753ab9d90ecd033263e4d5b91ec8ac87a0ccb27a21803ff29b7ddc52d8a109a7900b576b658cd2f0

Download Submit
C:\Users\Admin\Documents\ResetRepair.rtf.7gs3

Filesize
1.3MB

MD5
21a3ea51c7a3cf2582fc42b0a196e4b3

SHA1
2a1a1351e6cdfaf52a078b535a7c34f23f3fc854

SHA256
821c9caa2ad2873c5c76fa85bfcb38992a2dc6daaa29ec64cf8945b71cbc6791

SHA512
b261fd00f26aba718ce78374f321f237f7a4af2aabeed558fb16df20b85bbb869447e411d547389873ce17084ebb73dc49a0ca48fd59c949cfbe3bd3d9a3e09b

Download Submit
C:\Users\Admin\Documents\Warning.txt

Filesize
642B

MD5
072e26ca8a9c9502061d1c3d9e3bbeaa

SHA1
fe55bffddd0d415c293e8e926d302e3586212322

SHA256
f7b22500b7a82a9446b635353aceecbdc205c9208eeb72c2e2c1b6d0a9a1bd62

SHA512
2bc83902a56df2a3178c3b59ad8014a08b282e60289123a10d9a4d643a604876e008e782a6c861bfd211580a5fdbb1bcf748c3197210d71dc18d8949c62d4610

Download Submit
C:\Users\Admin\Documents\desktop.ini.0xyf

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\Downloads\Decrypter.exe

Filesize
218KB

MD5
97f3854d27d9f5d8f9b15818237894d5

SHA1
e608608d59708ef58102a3938d9117fa864942d9

SHA256
fac94a8e02f92d63cfdf1299db27e40410da46c9e86d8bb2cd4b1a0d68d5f7a2

SHA512
25d840a7a6f0e88092e0f852690ed9377cf3f38e0f2c95e74f8b2ffea574d83c6154cccdbf94f1756e2bbdcdb33b5106aab946644dedc4ffaefb6bf57a866696

Download Submit
C:\Users\Admin\Downloads\Decrypter.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unlock_Files-decrypter.zip

Filesize
172KB

MD5
a47dcb863132ba3fbdfddf775f64bf7f

SHA1
6282cc85e1b809f9fffdf797362057d8ae461871

SHA256
c74b1eaafd5c20ad22d9a3da9f6b58ff7f8207ed1f27acd6cea17eb95feda1e6

SHA512
0cf29b7123b55e762c20a2166b6c5e95c425b14fdffd8a6fcac381f35bfa5abddc4caea7a5fabfb508734ee1fa0a395986f4e3e24674753e07ca4516d8920c95

Download Submit
C:\Users\Admin\Downloads\Unlock_Files-decrypter.zip:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
C:\Users\Admin\Links\Desktop.lnk.j1iz

Filesize
501B

MD5
ab6dfb678f0844d1b929eb31251a9395

SHA1
7f0f48d67ee455fcb701c28e1ecc106e0d633c49

SHA256
40db4ca37c290d8a3e64f47d906ae18f12af5fd3bee8a5c9818eaf020473c874

SHA512
6daa226012cfe0539c2ee1916ff045465e010cc8f953ecb276eea96926834d006ef2079f761581889f96ac4e5dd05052c810c4302725e2d2b5a813c07dc824bd

Download Submit
C:\Users\Admin\Links\Downloads.lnk.7lye

Filesize
942B

MD5
9cd119a74ec537603affeab026ddb980

SHA1
73e550e0fa7f15e3aa68f7208f07172ad6e8b137

SHA256
0977a84ace6097eb3166b35571eb679a61d8af59b7cbe4a8bbb45f175bad33c6

SHA512
613aaa02e1c2cf0bd3e572e7290f38cbda550bb0535e119c10fba435cf17e7c3a16a351ca432377289d12735f37bce18ac71b9c6e60d9256f680913cb371274a

Download Submit
C:\Users\Admin\Links\desktop.ini.7o2x

Filesize
504B

MD5
3b960da228cc489b622697659c885d64

SHA1
00686a12f1a43501f6eea2140da9be141a11bd3b

SHA256
a4234e2cf44c57609fd7cb0f9f0a33ee136b542fba5121ac02d85b38fb2ea02d

SHA512
3cc46f016865b3d541506cb15d7b22c83e1434bf73de23b158101aff08532eac29a6d9709060e9681cbeb375e2f843497ce80c3085579a8266c7f22b9567efd6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-242286936-336880687-2152680090-1000\desktop.ini.8oo0

Filesize
392B

MD5
de0e9994bce42a230062b8b47ceb0d20

SHA1
ee24e5d87d938f8b027be161117e4f2db62badb2

SHA256
da31ec7a8bdcfdb476351c36212a4096448b01336c01710c422c7c8a14a8551f

SHA512
3de9937d586e802f643c4d6c40400783c84f5b0584e86f95eda1413e3f34e72e46d74b509d416a5956f5ede0268640dfe77ed6794bd2b5f469884c198347cb5e

Download Submit
memory/564-0-0x00007FFEF75F3000-0x00007FFEF75F5000-memory.dmp

Filesize
8KB

Download
memory/564-1-0x0000000000FB0000-0x0000000000FFC000-memory.dmp

Filesize
304KB

Download
memory/3200-455-0x00007FFEF75F0000-0x00007FFEF80B2000-memory.dmp

Filesize
10.8MB

Download
memory/3200-14-0x00007FFEF75F0000-0x00007FFEF80B2000-memory.dmp

Filesize
10.8MB

Download
memory/3200-22-0x00007FFEF75F0000-0x00007FFEF80B2000-memory.dmp

Filesize
10.8MB

Download
memory/3200-1724-0x00007FFEF75F0000-0x00007FFEF80B2000-memory.dmp

Filesize
10.8MB

Download
memory/4904-1027-0x0000000000770000-0x00000000007AC000-memory.dmp

Filesize
240KB

Download