troldesh | 0a88faa27484c7c163bc90fbf806a9dab84226c2f60f3410695278ee76d065f5

Analysis

max time kernel
477s
max time network
475s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
24-08-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chew7.exe
Size

4.6MB
MD5

7b232997942b2a5c7e4dbe931bb4c67c
SHA1

06c6d3b5b66585f03bab25c774baadb575cb1515
SHA256

0a88faa27484c7c163bc90fbf806a9dab84226c2f60f3410695278ee76d065f5
SHA512

1959f3334af0061fac523e31fb030d77c13696977cc151453ca0546cc624d234b2198d141e61d597e0d3c2ff3068ad8f3d732dd477a5b535ccd56dd953588412
SSDEEP

98304:6BkL7VOQCsDdOmYglo4Y14pygKq7VOQCsDdOmYglo4Y14pygK:6OLPLDVYglq1pqPLDVYglq1p

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4976-1035-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4976-1036-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4976-1038-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4976-1037-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4976-1051-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4976-1061-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
209	raw.githubusercontent.com
212	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133689331381013567"	chrome.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Applications	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "2"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 8c0031000000000002591780110050524f4752417e310000740009000400efbec5525961185907042e0000003f0000000000010000000000000000004a0000000000491a0a00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Applications\7z.exe	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 50003100000000000259557c1000372d5a6970003c0009000400efbe0259557c0259557c2e000000fc9d020000000a000000000000000000000000000000c58b460037002d005a0069007000000014000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\NodeSlot = "3"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Applications\7z.exe\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Applications\7z.exe\shell\open\command	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{C63ED2DF-E6CD-4F33-812E-172CD3DBD25C}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Applications\7z.exe\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Applications\7z.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\""	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Chew7.rar:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
4976	[email protected]
4976	[email protected]
4976	[email protected]
4976	[email protected]

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4888	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	Chew7.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3044	MiniSearchHost.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 1756	3672	chrome.exe	86
PID 3672 wrote to memory of 1756	3672	chrome.exe	86
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 1800	3672	chrome.exe	87
PID 3672 wrote to memory of 3268	3672	chrome.exe	88
PID 3672 wrote to memory of 3268	3672	chrome.exe	88
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89
PID 3672 wrote to memory of 4940	3672	chrome.exe	89

C:\Users\Admin\AppData\Local\Temp\Chew7.exe
"C:\Users\Admin\AppData\Local\Temp\Chew7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb36f0cc40,0x7ffb36f0cc4c,0x7ffb36f0cc58
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2176 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3512,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4852,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5040,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4348,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3208 /prefetch:8
  2⤵
  PID:248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3716 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5212,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1128,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3472,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5576,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5772,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5512,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4964,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5496,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5568,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5800,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5744,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=3260,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5960,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6544,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6540 /prefetch:8
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6552,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6260,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=5872,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5232,i,2506535140883707371,7091726135412378151,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6556 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1464

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4888
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\Chew7.rar"
  2⤵
  PID:3380

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\Chew7.rar"
1⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4b9fce6b1d4f2763b527d7acc7a15cb4

SHA1
d716d34ed32cd8ec17ffe3deecf7542634df7699

SHA256
4966a622dd8134f78bd7ec99692de6c70fb7e6e3f2a7cbf4bf862baa4eafe9be

SHA512
ec3008cdb92fd6d13024977e87f66fa8c897476e7b23813b0491b53d9265b39a144985ef51e96b1ff1891c944512762faa4cf20e686797d9d39afc93eff7ce22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
743ee3efc4d4523a97e175e1e4e5c8d1

SHA1
acd2804ed9657abc311b3b1d606ef4216ae975e7

SHA256
254134bf9e01500fb2f6b1343c2ab23531cf2a5d1dd0df3ebe3e6fdfdc3f162b

SHA512
6f4de7611b7481f2e8c3c04ac5c93d4f5f9a6e01593db5bfdebec988a55c77447fd5bad42d4cdc90134042af214ebb44978e0b11edca01f98a4f8009aed6954d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
eda9e547bd7433766bc29c945c07f588

SHA1
145b83825f6c30468a05e25eef7962b0cc107bc1

SHA256
a22aeeb08c6cb0b77554f54422d5b25ed6d6b543d971562c327e506a0c11af87

SHA512
82ec32bce57b9e2f8c13bd5e3739c164ab37a524a5d09d187f2df549063b68bac7933e6b0b86ed668534b5e72a468c5f18843d9a3f229279f2ea1768ad699754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
7d6374a3fe3204fdc4f80dcaf15de482

SHA1
f31a77d750754484030ba1dc96561fdc42663fbe

SHA256
9b5a68d8f8455e939fb8bf0cc6c42ab932333eaa254bc887c80381e5b03fc85a

SHA512
424bf014044c0ce7b9652748868398fa8b467edad6e3c47e5309de05a2981e8f11ac31cbbd21ca16463ce867f0990fe72d5c2c23ce0233aed9e022f14d49960e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
82b325092bb59b4638dc4a1ee8e493e1

SHA1
3ae8d331ea1b4da205f2ad58e5c9131c3eee5a96

SHA256
c6611c7bd8faa0f71e454d9cb274431d70090e02940376738eb99e386f4e71ab

SHA512
6c35470bca7f2103b3155d7341e3499dc593d287c8d415ace737268ad446e706c39298f5d9c838825f5f0b912ca0f059cbd854e91a2298a3da966069d5492132

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
8021b24174f77b95c3bd206275792d6d

SHA1
e7e4bed3155037fb5a64c5cf6dde8c4168c31c35

SHA256
480c38e1eb333c577f43b0fe9823b737c4cfad7a2a8cab4f16cc1a3a4e5edb11

SHA512
dd36c5f4a0ec346b782861d64482d6352c391941383aba262f44454d1e408b37ba47383a81e3b04e6552780283786ffb97d7beaf07fc23f360be28ca52bbd1a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
2b539cdbacf8ac8679990fad30f681c7

SHA1
c3bba1098eac4789d6005a0363fbd0f7ae4115a6

SHA256
74b608cdda9b31ce99e4805bc727e6d837daeee496cbad3e0ec02690ca381e42

SHA512
897309feea05217c18cccffd22028aa17971f377fadc1f41aa10d5d81cc4c0068b0f658f93e12a14e1e9fad94129e3d2a7fbe035a89d2fe97a2c91c48511adf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
828ede4383028b35b30abfdf4bb0f8d9

SHA1
a83a8a11401b7897882904fc4b0e0c811644aa3a

SHA256
a08368f9964ef965ad3eee01305c19e8510963e5706b3d14dfeb15ac5e5e3c52

SHA512
7772dd09eae59c8f946e2c736c9d2b0316fe5a996e90cf552bbb54e4701913315f97d2454f12bb8d776e71f1f9d56a44ef47e5f2381ae5c6495fd5d9e239df79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
3b9a647a1c6f6e78023317644f224fa9

SHA1
de85bb4fd6a0b976a7eb95299e967fd40dd70901

SHA256
16b77318757da3d471f4a1b98b8f56b3f5799884856f2bba92c421ff770615c5

SHA512
98a31c4c395b5a8858ddf5844e7aad2c1542627deab8bcec2cdbcdf0b51ca72a5dae6ee51777ac21a869aacb0f2140c136967a012532ebf2d5df1c60ea6197cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
7df36b99ce8a759f061cdba3592f3edb

SHA1
f7d2df48acfe12da4f6ec4b8aad4fbbd18e43911

SHA256
dc756e04d5cdf6b3baa6bb201093e3a6ff481671d2afe5e69d57d0bbeab73bf5

SHA512
760bde28bb6b815be207f83fe6da420d2a8fa6bb8c1ed4e3f488d341210400ec32ff8c6f521ce24f6c087cc629056d24cc95e88aadd41c9f5893b30e44fd0ec3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
ad8303767380b89cb8fc38e46adad502

SHA1
e1a41e325149f56b1ca1ff3e58a23ec7b8673629

SHA256
d0c2c5866be869f1b6e93ceebdfc5cb999eeac4200780ded27a9a16a9085540b

SHA512
3ac199729746b0f835d5e4837cd3afeaa9348eb0f5c125c1922c9a42617dc872350a09b1d37236862d7712f256e855126b015f63c01b1020589e6aa18658a045

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
47c400aa0eaf4f8dfbd33792ae4c043c

SHA1
98550964845e110e2c9d54871da4958711b3726c

SHA256
8a6858eb2e77b4481dd1ab6e592e4619f5e7198e552997586e1b5780865adbb6

SHA512
110ec9258a32ada805c9f6b1b1f9dc87005a03785f17f583a76f44ae186a1a2f59651fac79598a3cf1647999086e4b1b82babcebf95d295af8de5f78b8012800

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
6445b1e2d9880af027eba945e669e4ec

SHA1
e7ca85316b66d6f7fcc9b6737f97e96f55a02be0

SHA256
b7d3ea6e737e77a4fd1b0b92ba93ae39ad131f92076a539a2ce7f6e31c0b9961

SHA512
fdf705545f174ca808640449449b6fd80b1370204e0a889a985b927d21126d0e5d49f9bfd88ff2cb1bc02dad2fe0b72284bcd526fa6a3b57552688b53b1b13e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
0175d26304c758f01879a0b04a976cfe

SHA1
c2f7d74083b4bea8e709475aa62df1ab52763265

SHA256
2b1945367314458da43a405ec1f4676a2fa6cddc2f56926d7b61407222e0c229

SHA512
321efd043a6513f935c66de7a91de87e54673c4eb34a02a334c598469c1f899f3856b463068ef7cf8b0f347686c98a31091735fce0da204117a591aa98e81c7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
c33e3b897a67049950e75e5975b08db5

SHA1
a90f073048f6c3952449cc048369ccae9a73acef

SHA256
5993a1b9b44ee78065f12def34a12e67e4f9e05fce6ca77fc6640fdff0a9428a

SHA512
7aa665ec10a422e68fe875d1dfd3ff686948674cbbb20c850f216080ae5280b050b5a08f1ffbec76d54069d2484cc626ef3fa06515d33affbb95ad355779c5a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
8663271202176e9d831020ff47d75d60

SHA1
25a058b646b4824c3157d02358b889cc08b279e1

SHA256
a851a266809bded2bb0ddffe10c1e23efcd599833383442202a2fa891f9b8829

SHA512
6904321f4c7db3118e4579715ec187784d887eec7ef84b9e160ef2fd2008d3dabb6a969ed3a5ba18808e646beb55125dc92e759aac1992e1ff9182758f8d6eaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
91cf4211ca12750ff05d581a608b1d9b

SHA1
4cb273541af338a7fdd8297c177d2cb2f817253d

SHA256
c02ef1eb56b0670ea0d2a7428e650c0af5138cee53712901f0aa0d156b93f6fc

SHA512
02c5a92f7b051723cd14e3bd073bfae704e61c7af2ac0e4e3489f2b99fe4157ce1192df4ae1da0eb3d88c72226fdd76ffedda1a216603ef0d7c3d3e0c3f7d9b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b847fad0e236e39a9631e7dda97617ef

SHA1
1b9377a19d332b20f3e1502b94700a0e2ef0e46f

SHA256
451211cb6519217e45fd00bc534a380f54487cffe64a01121084babfd1cedf6b

SHA512
44398ca93b71dd88e6dff00ec05e0381d3c2ab3226fc65be905741efa53ea76096d4413168225ff6dae0a9aec2991f1b9873dcc26465126e7014ced3466b801a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
cc203c512eb3740b07968e3b88c95c7a

SHA1
40223c4a93bf1227bea5a9a79f8afcc88e92ad66

SHA256
a5163b6fa6518cdfd8526b1f86d0be8f5deef63a902155b1e826535dfb1b14ee

SHA512
0bd882629988c30468f718f02500c142415db969468676fbcaedcdc7ed1d4c1a6aa80f6e6b3e1ba1dc38cf3ff3a8ace802bc4557879dafa4b4d0702e5eadd00e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
42ec7e282e57948dd3db0181143fc83d

SHA1
c2121089499bc2881989b0476f0f07ea320a89c1

SHA256
f00a0e752975d7e689b4616868bf8d4aa8cf521fe74540ca5eef433b96d38e77

SHA512
e01b7d5bb2d19f38c1d4fb6e8da2bfbc0196955eeb06e237f001a06d536a4f278a874ae70c99f4a952a09c87d0e100e625eedfcd108b194f55f2dd615e18b73f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3d4839ffab71f154be51e915ef30179d

SHA1
b0caf7863c386518edcdcc6868e3f4fcacc3038b

SHA256
fed231e5f67949f8863b8bca34f8a73ce8cae883d701c37f0ec725b440f0ea4c

SHA512
ccc246e14458663601afd16dc1d6dde60a3fe7a3a5ecb093bd4fcf242e9417013e2a62f8aa2f14a4317234794fc2f47e72677f27f30c3cd2a2ee88d1f88c56f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5419533e1d54e88bef1720ce908c1783

SHA1
796b4b09a6b7601ac9fdc2574479a6fd22ae1cd1

SHA256
73d6e61d764024226e62f4193edbef1bc94f30b4bc2e6c40de1e9f10823eade1

SHA512
ff53c09085ec9e88a328cbba4230438b3e53ee02feb3c115ff74e9104ed714460b0d5527dfd93fcceaef04d5d2c67cb464d017ef5e6df4386e05da442c59ec92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3cb2c260f823a0c1becab46c1258525c

SHA1
2d419e61f08dad779f2a890e59ad0ff1a6796c24

SHA256
97cab33999b1f381ad8f224de22cb370c028118253484900d61c15cb7923cdec

SHA512
96a8797de37f8c5d6a1d1d7e6475dd8d9d539587f48ac8d206779fb71d2fe1500723cfe03b92862d2bb5c54fb08f864b91bb7390670f38b4d3c30cabef6aaa04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e41a292ff35aa9468be07d52e775e456

SHA1
963bfdde2bf82c8553ec01eb179b5cae882cda3d

SHA256
4dbb948f1c8a1dd3dd81bd93217165af6c1ba9d11eacebd514ed30b73beee48d

SHA512
db24266fd9a51f35960f832fb7b25441c3162bdff72be0549b815bcae5428aa9d1448e21c30249b87ca63676af2b3ba806c390dd2a232b0e098ad71e0a774161

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6838de9eecde6bc34a1082e8a539101d

SHA1
37ab399aced21b996a39d113b97517684860589f

SHA256
209b040b5781d11644b098b465d081812680fc09a5ddc215470b364d5c2d2187

SHA512
702fb299809b7ac74cf67f5bb04cb633f099bfe913158e5b7fc82a179eb9efc30b6bb28c83777c0cc38a830c9427e8882ebde7e8645f45ea0609dc67fcfc2f05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e8cb6c55f2d906e6cc42c17b0e3a34dd

SHA1
6a8bde095b174f43a96a077fe86834ecf248feae

SHA256
2f7fa17d16c8a6d33f91daa72b5217ca6ece1130ee2e318c49c11b53bef9ad83

SHA512
5e2dd3f1eef8dd49ec5ffb44bf600fa1739d0466fc3401746417ad5c460a04453c2bff20435b3d302cb60ca2f22335e8dfeb556eef198854f0839e18a3c22308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a66c09aab9c9b8ae2410b3258cf26568

SHA1
2310fdab32286f7162b88ba16ba4cd274b8c1674

SHA256
8a7e8a347cc83aa567f13a9a25142386ddfbffc128c7d1f8bc9a6e818fe6e0b5

SHA512
12eab70ddb282cc2f4b6145ba3f195e9d5208aac349050bf40fcc030caa2593eab30ed64e34c44fec731f98f464f644e0b262980fc6c41b2adfe7da87827aefa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
216b97ff38fd2f85ff540646d1516f10

SHA1
6241159cb7567eb3458c72e0517a8d0f9a213355

SHA256
70831e74fab8615547d7a58f05506955ce6ab423b8bb379d2dcb29f55b440385

SHA512
9a247d5cc10bb5fdcf7532251813061e287e082b02ebc98c52dbe9a0acec4ae86b4eb42eb42f774df166678544d9c909c0f146624f6da9f2b45a193b5825c594

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7d74f2fbb6291e378020505f8ea39dc6

SHA1
47b742cff281f119af127012b1c1024e303de85a

SHA256
86391fb46730334cef1a67ad0ebe7ce22b4802a83036cc25e5e2dc15392a0741

SHA512
3b23a63d5db3c7db80fdc9eff000ca040120c9eb1d401a041f965c970bcd832f1e56712c1e5651a6ce1688c2520fac6f6f5720e9cb60be8645393d61701bafe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
03e2ec58238de271f96d00f8ce7037b8

SHA1
971c1d90656240620bab718c74aadde31cb11b91

SHA256
12f1b46e4bf563695f1884d6b7ead192bc8427519b349db7e7bba67d61898b8f

SHA512
05d09f8f2a915c497a50cb4a79f5f77b5926d63aa0c69911187a3c1f0d61f9767e0be6e8d436b30dcbb2bbeccbe2721577e54540fe2c37b1fc929389db682ef6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8ac98911c864879f9148f3dc8cdee3fd

SHA1
0b8bc2cfc9120989d8337fdc8505b4ba0a2c0fe8

SHA256
8c2192fefc0fce2f868f32bf41f58d0a1ee8a270c2c04927b837565945663520

SHA512
b9881e83b5375ba802b90117d657161115d7c27a43c7df816de1ed8d63bef17ab517c9f42a623460d1a3240703701501f576bf20448ca0dc9b5e51f0b61553fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0d098063400246a229460ad0cba5fd1a

SHA1
1e7ae6f9b0ead124d3d6b374f946e0fdf4ff5aba

SHA256
5b81dd78674a7c2c5035924b10d277a0c51f523548121af3e42d3582c2f77ad2

SHA512
3bf340dd2ff06f127d5b4d44b0e542744375d7d61e8a251b3bda08602b6482c344d70af2290e8dbb2a13ca0fb439eb32b3dd0669e8e56224f2c6feb1e2a34054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
06bd97d79a90f83b8cbd229917b8c436

SHA1
29c750d47d143bb8eb6bd0208a6e9d5f9e50cb16

SHA256
4850036c5d6a46a19b648f54ccbdf57f13a5b22c8371feaa7af038b100c89481

SHA512
532b74c8dc30ee5078aaec6cac1c98aba31686603eee130413cb6ac7c9578a30ae1fa25f870b4c892496143e07edcc87e26673645f8d813e3e51063521c0a3e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2f4eca7f5e40d94dddd8177d47d1ee28

SHA1
6f1b97f3ebf22a465656c564cf47eb0cec85097c

SHA256
ac63d28e6dcf79f6381e7a9743070ff6ad4884816ea3a4cd14e6443bc93b222d

SHA512
37115713961d93df361bcc90988d85665690346d6b9eefbe0196dc28903d3b80edaa2e8285689f7f7f1eec399205bc5b0a94247be8ea280f11308fd3ae3d4d16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
37086acc6a7cc4cd6c4b6f19d67781be

SHA1
032cab96f31c9c63434368121550b8a0902de112

SHA256
1a54ddff5006db7c0c6c6ede758e523674d9b30672cca569f3fd3ed2ed82af5f

SHA512
ee062cc639e2373778798cca36c3b26d662612b12483860755e83e91cd81a9d4ecc914ae3e77f7cd0d3f31dfd42af4c44cb1d4b6b93daf75f06de22c3ad7567f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
85725546505906a3362e5fc3bdb289de

SHA1
4be88e083f86c9a9e2f05cb0c14b7c846b68be7c

SHA256
fd2c7c757dc666815056760c28332ae705f89815a5236db017741ccc3faff65e

SHA512
1012bf4d32e47c746e32359175192dc7b656b67e2a3807db0264fede0ba3454332e1b3248126f895ebfeea0ccf6e9db26b4c4d2642dc5813a09e87848de97bc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4512448f94c5e87de79ccc243b866a49

SHA1
72d5003201a643174b3e3a3bbd604b663adea9b5

SHA256
6f09b49e002310ed3766c5d3f39a6cb452c4a682e4843407f290fddd7dd37ce9

SHA512
763ec2cfef2de92f4a9669fb827438ba365466a8b481a3295d79d70189b24f20cf1a3e77f7ddbf038a1d48d498a08b28200b53bfece07ccb4f51cc7cde940a73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1ded4ab6d5d607768bd06f4bcc43bace

SHA1
258863be40acced33247f008cc2ffe0cb4e30c25

SHA256
707ecf2a1b0994d031ffeaf1a8566101803bd331a5610c2faa4a96231ae765a6

SHA512
f7263f092b060520f1841a251cc5aeffd295113f94ad29df130337580ee260c3d4e4960551ed6d7e2e603098f25dbb3590d325277369cd9a9616eaa5c438083c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4e27a38e23be994277d75aa62adfece3

SHA1
7aa1a37e0a558ce5e4a883a915e3ef638e1d53a9

SHA256
3692dfbec1b5666f0e52e83540933b156fecf6c4dc56a118adde0050ecc04bd0

SHA512
90751dc02d2092aa1cc57aa5e81e3119938fbb9bdb3dbca096902385ac7f92a03d255b1dbf4da7306e8aa7df444901ee240dd5099fa509c16631c5e0d92c6d2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
29f32d93d45c055c780a5306c7074a33

SHA1
e3e2e14ccdecea7c14a291bd80495483f8b3d04f

SHA256
83aeead6e1c390baa52ea4e592f752ca08e5292711587839babdbacbaa969120

SHA512
90a306e012dace70dce83fcc0dfe655621e3a550db323c302eda2bf11d920b148b4bfca1d030bc6bfde67653bc52e01384320c5d976e73f455081890496235b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6116a2cc5f1fc7d188cf8c59bd139ccd

SHA1
6f449f3a59655d703cc36c0937d392ae41418e9d

SHA256
48fd87037902ac796515a1568877acaedb325757eb3079da0b1c315cd06d634e

SHA512
8c34811ba5d30a6d1acbb4c5b80252be81bd789900b2535742b93414686222aa8f031e1b060d4a62d4097652d6284bdb58cadd0f26840cec6a5a0749a1bace61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4a9e5f488891ad9ac791e0c3f64b489a

SHA1
63e9e67a9ba3e194649dd17671bbede2eae3663d

SHA256
f017f0827d6f7b8f09eb7cf197a99626992a373ac9a0d23530178e015f1933e9

SHA512
5ead39c2eb45792a85089f35fbf7df4278e3b8b2e6b4b5eb0d0219b66813f75a9eaa9c91ca48350ba5bba9817667f6a0dd1ef6787b8b638c3baa67bf14ba81c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
230c855f233857ba8d450c0e6b8c880f

SHA1
a53bf60f7523bd90656550082bbe1a5e0dae07ff

SHA256
1bc50e7df3d20080346bca509c42102a0bd351b6811f58c6acd652e8393c26c0

SHA512
547955d73f8295a005bd440aed19565015d46bd22413bf528bdd63160a4dcec6c1a5881523c45502f41b092723b06aad76e4c8ecac059ed11aff46f3a97d8794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c0f38d3c20587a4ad93fc5da69077e1

SHA1
36f55a66260cc5b876a76190e8ee6e31c2ae2ed6

SHA256
86ec79c16183ae7dc114f6090d7f99fa5a640a59298e7b2f24d4b7dc1713f8ba

SHA512
523f19e1f3b472f156ffa0161808ef419a839a59a9e980ec806098fa1a98566313aa365781d7eb63b0b5e59194a6f82aaaad2ddfb60dde8744b9eb72ea60ae16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
66d11b286bebe2f64f44b3c40da9abb8

SHA1
7fd1e93f59d631d19988cccaf89afbaa2694023b

SHA256
e5d4de6a1ebc224f897bf9ad3df5e1798d13791cb5d0eab72f93448dbaaaca34

SHA512
6b3f5cbd8529bce3ca1ab035cdfb62eab826334426b58a5ab07bce65f0406cbe91b563a36bba347075b1c1be7006407781da404cf7f24d6eea4ed2a4e66a0972

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
532e1f9ca3944747d8af8774ecee321d

SHA1
f2e5bda3a33a5dac491669ef612a2d4113baa235

SHA256
1c672d395ba6589879b653a422d8e20f40da6ca4d95dd3d56017223be72b3a4b

SHA512
2bcc9b43611c7725171cfa8698b3fca3cb62a3b93f4ee347855babeb28bce49cb0221a22c41f22b15bf1b71b2ae8cf4b9068b73b77423f8c61bb8784425bbdb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a0f0de7e6dfa52f08bcbc537a18b1d4f

SHA1
30ca389301e2c7fc4710794897d08e86bf62e2c4

SHA256
f2f1345c5da5c58810362c8bf82bfd5a13442f630125ab06d4b29f869b83a024

SHA512
bf670daf320009d4a45c523b667834dd9895d7cd62669927b9b44faeba482ea94f9d00a61d1ce545fdad95b5b744902466f4a96e84fa7ebeeceb2ff48d8368f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2969b1150c781f31bf250c97b4932389

SHA1
78351094a18cabfa5dfac8eb2d3289f0ede5201e

SHA256
b2e3a1e4735db476e1b44188bbab48ec6d93db84ee013d21df324f327029eb48

SHA512
a0bbe05d25a2b18a18b20465aeaaff7dbe4a69c8af51022666808770a86bdccca4380d2baa0254f982ce4059d1e38e50ab03f077e2d8f30503cd264d6cf2f5ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
4a1d7cdc231af076ffed83849ee6470d

SHA1
14410b0034ec70a5e9da45c81cc173bc98367ce8

SHA256
6a187e4ebbb0843b4e13babd0f8f6b1e41fcbc0144b5d0dcf0f37cda9d988ba1

SHA512
5b41249a9b16a5f6a1f3f61f87d17402a33da1973107563c96c7e522a127c06ed552065f7f9535b297a70397a5c385b81b0bab6f221f4dbe5959a64e5ca2b6a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
4cfd922efd1ec0fde80a0deae5f41f2e

SHA1
855336dc9af24d145480b4cfd650542f7ff96173

SHA256
4a802914b5ec97e4383abd48155d56dab7756451c665bb6d072eadc94e70cc35

SHA512
a04c3d67959d9abe32c039eefd54dae634619a3ccfe6ade13635ba2ecf0ea9dd26c38509700882ddaa1ba67f1bfd1e54537d5bb6c097b3449e9065ad63f0cc65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
f71921814f39ab740c869861940fa7b7

SHA1
8ee0eebf08c5aafd1bf3d7685a67cc2ccedf3c4d

SHA256
e7049ae5dd26bd8909449ae5a399ea91f871dcbfe2fe069dcae9e4f371388e5f

SHA512
886bbaae60484738633a5ad2ccb7468db29d2dd0acfed83571366f484b1ecd72bcd8999133a4bd8e3999ea002c16a72484ac10362497ba71163384c5ff7f1824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
d773ea3613c80e037cca3a120f06fffa

SHA1
eb611645428e95fb51d836b7ee38e983e57f779a

SHA256
e8d4196eaa480e57b176e85d3f953497a102a75ed1b96b45ce56f2ad7ed3068e

SHA512
d4740a014d3437ed889fbe4de35c30ce3f78516c9a6672d286555b94be88cf6e98a65a9341548f54a85a8773263751ccfbd928f1d6478ac4a2fd50da5b8559d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
7ebc2276914a943438e455b56c1e1e58

SHA1
34cf3de6be9ca33454d5973fc4ef99ef5d680cfd

SHA256
6731ec315fcd82f1e2fd01885411d6b1f146c3259b10d9eafeee59c41b83bc2e

SHA512
37e98dd9a269e1530c3ca161668deedd8c0ddba0339aee5442a2240f0ce2a3e01f771674cd685f313124647d6d55c988ad73cbd03a0bbfca4ca15990f2d010c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
4f608b637b841da8dc71aae05ce4d63c

SHA1
3e456ba73ca32d0bcb26d1de9114f5c5d6303300

SHA256
66b33b73be6619e3fc65d5cd17f9022c6cd0f07852c15eba10576b1e14d36d74

SHA512
00c54d8a1d5ffea7213cad63712a5ee9eecbfd9077e1d1bbf3009f7c18883e6a099c2d7812c52bc0607e25093ca9c246df9b280da91a4fdbc3454af0db5afaad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
cc09e17bcf17281da53f4e00db9c0236

SHA1
1327a7ef3ac0ce8ef06082f54c07572536cdb125

SHA256
cb5f5d68e96360fc1ed9385a7351a21b21d86d962657b9aa6ee58e4bd95f9edd

SHA512
37b8fcac002a2d58a112f938ec3689353efaf4aa963e97503014ec56badc1c7651f94de374cc2e28072deff307539ca3e75d71cff406d0c7208bdc61912280af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
931f68d40cefa7cade4d26f35c49ad8a

SHA1
5b4e8721ada1a394ccb5e68b2028d4d520cfc6f8

SHA256
5ec6ea7b8a5280467b81fe1c395493032536d3ed736334d250e8d663fd2cea62

SHA512
25d1aa4afcf87eef5bd5a4f508fc1435b6158e229d50ecf4cf73f9ae3ccddae5905444e04491ef53cd4dc5a061aeb702ed23d1589b95574c346cd5fc566a5fab

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\~earchHoverUnifiedTileModelCache.tmp

Filesize
10KB

MD5
cd6829f53a60318a54648f4ff9d694c2

SHA1
eda672c23f219a9cdbe740079412f5fbe04a157d

SHA256
5410184dfd5ef071de14c78cc7e9488049a85e313a3454250d53e974251ac906

SHA512
25a54ac013419868211b704a9b1f4cbc7c0a5b1a0e10cec09cd8eee3fbde7497e36c8e35f0506622eb9a47939c2c6b9590bf9bbf8d43508be13d7f85f7838ec9

Download Submit
C:\Users\Admin\Downloads\Chew7.rar

Filesize
2.4MB

MD5
d126cf3c94f651aabe6650b90baea6d5

SHA1
491f9027d1581333f6d20d31045be0b3842305c3

SHA256
f0c90fb4211b12602caa556fe7f5e2ba60817dc5ffd09adf5055eee7aff74927

SHA512
1c184f60829c18e486914226a4c081c328cb52e762ccb1b9b2c0e19def5bccfeaa580d3f7e541d91a95d8ec11675697bf46c549678d63a8a945fc0e8eeaf5046

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/3588-0-0x00007FFB25FC5000-0x00007FFB25FC6000-memory.dmp

Filesize
4KB

Download
memory/3588-4-0x00007FFB25D10000-0x00007FFB266B1000-memory.dmp

Filesize
9.6MB

Download
memory/3588-3-0x000000001B650000-0x000000001B6EC000-memory.dmp

Filesize
624KB

Download
memory/3588-6-0x00007FFB25D10000-0x00007FFB266B1000-memory.dmp

Filesize
9.6MB

Download
memory/3588-5-0x0000000000F60000-0x0000000000F68000-memory.dmp

Filesize
32KB

Download
memory/3588-2-0x000000001BCF0000-0x000000001C1BE000-memory.dmp

Filesize
4.8MB

Download
memory/3588-1-0x00007FFB25D10000-0x00007FFB266B1000-memory.dmp

Filesize
9.6MB

Download
memory/4976-1035-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4976-1036-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4976-1038-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4976-1037-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4976-1051-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4976-1061-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download