sodinokibi | f442d0543f6df79be9fbaed90af2dedbcf2e4774561421763577b148a9ff8554

Resubmissions

10-01-2025 23:50

250110-3vv2pswmhj 10

11-12-2024 15:19

09-12-2024 01:54

26-11-2024 23:15

30-09-2024 21:45

15-09-2024 22:03

15-09-2024 20:03

20-08-2024 16:21

Analysis

max time kernel
1194s
max time network
1197s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15-09-2024 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v2.exe
Size

121KB
MD5

944ed18066724dc6ca3fb3d72e4b9bdf
SHA1

1a19c8793cd783a5bb89777f5bc09e580f97ce29
SHA256

74ce1be7fe32869dbbfe599d7992c306a7ee693eb517924135975daa64a3a92f
SHA512

a4d23cba68205350ae58920479cb52836f9c6dac20d1634993f3758a1e5866f40b0296226341958d1200e1fcd292b8138c41a9ed8911d7abeaa223a06bfe4ad3
SSDEEP

1536:vjVXKif7kaCtHM7qpo6ZQDtFnNi+ti09or2LkLpLik8ICS4Ao3uZs/WVEdz725sK:J1MZwlLk9Bm3uW/Wud2K36cn/wCY

Score

10^/10

sodinokibi credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Recovery\q2xp8-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension q2xp8. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9738DE3203C67D49 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/9738DE3203C67D49 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: rBWV5ZNa6wx4aaxBM5Fs3b92E4NXEM8azNIHXb/rgLUOMOlL6EDuSyRq5F0/eoAb qK7Mx7AmcJ8e6xJHcwIQjY4sw2SMx0u+NxZNmKwHnb7nm7QnXCxNGyHqzzD5rIBT oLipG+hM1fB3v9bKmOgBgmj1f8gLwvGPrVafmiYKqcqvZ2zBkTBBi4fEzKK1/ykx dchMY7L03WgZ9gqTjH6QGTQQ2cDfWtBsV/9KVxTCgogO2VWX84JUf41keEpgbIIx 7su7hGMzsRhtTaG8zd9WzQ7zHLR5CxDU4vBFoloJqHEFmnQvKZ+XiDzD3ngkVs5Q RfKV6AFxBzUA391i0okD0seVPTrVFANV4JyeLEZmxLIkFPKK1wpnu+T6kZGSxqay 6lTb1fa7gD90ZuusbR8q5zpToBACCZh5219dENhDt3bUZ5XOCQ3S4awW4oSpOb9m fGwsTzLoOdODA/ELB35TF3U3/w9kM/pEaWypD+CjF6e37rgdaNzJTbxEityNkz9n He86xFo0CaxOrS48mG1pLhwoG6wPqZdsAfSiB+Rp9b5RsWUX5xSm3CLW6gO47+Wc dN7O+Uu04UdMRY7KkyxDkWXIE74fHNAltc7SZa7LuoVzt1Biv4Y7/db5BKvA29aG Xv4VVRBhmQ+ctr6a1vrK7vuPiFV0/KKkXml5BfCHxqs1NNFD73utGeSIKLW/KfsG HvI9Y2BsfrO57hI0g+G8UidMqUZtF65HlK5brEpCbovlZUc23cv/LNh0SbfuPN0q qtdqYa0yj4vdH34QKmt3mlE4fAyCwYBUh/i72T6TmIHTlNTw7Rx4f6Zc3eH97DLm Ls5mYvvgEvexJu1/ZQN327As4goeN4NIAQtgwLaZ5wM1OJJifRyWedavT2xJSZ6F tD35TpbyKQ+nMMOZni9tVJ4eOgpnjPVJ0kYoyfqUnfDB6rsTN4JH6kVUDzoqavou fdVQiEWET1HGbqcRcbdSPbbfLmZ5hQa9fZcPtgyj3440GVjBYFQsjdR54j5JdQt1 I1ymvdUQi4/r8mG3D6J+vcaFAq358UV4AGGicgrrBld3eFvxSXcga7LmpQQhJze1 q5Q/KabKEj9qlVnz/uBF9FMaNDeE7fvcnWnHH/CyA9TwHG62fFZvtdsLK3JlNjaB zwDkmWVvDc+b65szJaF7+7crFaeNIiuEQCNW17Dvs9tu+8L61iR9yT8o1HKsWNhg bwsadO6ruD9vv185ztBCGygEjELRFwzCD56IvjJaabOr2vQ/qDnl98aqK9outTej dW3tKo24In96CmgQSSE2hwHjZ/AfNr+IUsX1pmGIz6Pe6O42mJ5LiY5ZCP1rcI7D ygidb5suJRWlRWcuMZzKgTzbu7js+zMY62w= ----------------------------------------------------------------------------------------- We will use the data gathered from your systems in future campaigns in 14 days !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9738DE3203C67D49

http://decoder.re/9738DE3203C67D49

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\q2xp8-readme.txt	v2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	v2.exe
File opened (read-only)	\??\I:	v2.exe
File opened (read-only)	\??\J:	v2.exe
File opened (read-only)	\??\P:	v2.exe
File opened (read-only)	\??\R:	v2.exe
File opened (read-only)	\??\U:	v2.exe
File opened (read-only)	\??\B:	v2.exe
File opened (read-only)	\??\W:	v2.exe
File opened (read-only)	\??\A:	v2.exe
File opened (read-only)	\??\T:	v2.exe
File opened (read-only)	\??\X:	v2.exe
File opened (read-only)	\??\Y:	v2.exe
File opened (read-only)	\??\K:	v2.exe
File opened (read-only)	\??\N:	v2.exe
File opened (read-only)	\??\O:	v2.exe
File opened (read-only)	\??\F:	v2.exe
File opened (read-only)	\??\H:	v2.exe
File opened (read-only)	\??\V:	v2.exe
File opened (read-only)	\??\M:	v2.exe
File opened (read-only)	\??\S:	v2.exe
File opened (read-only)	\??\Z:	v2.exe
File opened (read-only)	\??\G:	v2.exe
File opened (read-only)	\??\Q:	v2.exe
File opened (read-only)	\??\D:	v2.exe
File opened (read-only)	\??\E:	v2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
181	sites.google.com
182	sites.google.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7w4l.bmp"	v2.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\ConvertFromShow.jpe	v2.exe
File opened for modification	\??\c:\program files\DisableHide.zip	v2.exe
File opened for modification	\??\c:\program files\PushDismount.m4v	v2.exe
File opened for modification	\??\c:\program files\RenameOut.mpg	v2.exe
File opened for modification	\??\c:\program files\ResizeOptimize.temp	v2.exe
File opened for modification	\??\c:\program files\TraceCompare.m4a	v2.exe
File created	\??\c:\program files\q2xp8-readme.txt	v2.exe
File opened for modification	\??\c:\program files\ConnectExport.css	v2.exe
File created	\??\c:\program files (x86)\q2xp8-readme.txt	v2.exe
File opened for modification	\??\c:\program files\OutPing.pub	v2.exe
File opened for modification	\??\c:\program files\MergeEnter.vsd	v2.exe
File opened for modification	\??\c:\program files\RestartResize.mhtml	v2.exe
File opened for modification	\??\c:\program files\BackupUnpublish.jfif	v2.exe
File opened for modification	\??\c:\program files\GroupUnlock.dotm	v2.exe
File opened for modification	\??\c:\program files\OutPublish.rle	v2.exe
File opened for modification	\??\c:\program files\TestUpdate.vsw	v2.exe
File opened for modification	\??\c:\program files\DebugCompare.fon	v2.exe
File opened for modification	\??\c:\program files\InstallNew.3gp2	v2.exe
File opened for modification	\??\c:\program files\OpenFind.m1v	v2.exe
File opened for modification	\??\c:\program files\RegisterSplit.pptx	v2.exe
File opened for modification	\??\c:\program files\FindOut.xla	v2.exe
File opened for modification	\??\c:\program files\JoinExpand.ADT	v2.exe
File opened for modification	\??\c:\program files\OutJoin.gif	v2.exe
File opened for modification	\??\c:\program files\ResolveConnect.dotx	v2.exe
File opened for modification	\??\c:\program files\StartDeny.TTS	v2.exe
File opened for modification	\??\c:\program files\ConnectMerge.3gpp	v2.exe
File opened for modification	\??\c:\program files\EditUndo.wdp	v2.exe
File opened for modification	\??\c:\program files\FormatDisconnect.snd	v2.exe
File opened for modification	\??\c:\program files\OutUndo.html	v2.exe
File opened for modification	\??\c:\program files\WatchInitialize.mpg	v2.exe
File opened for modification	\??\c:\program files\DenyRestart.3g2	v2.exe
File opened for modification	\??\c:\program files\EnableSubmit.ppsm	v2.exe
File opened for modification	\??\c:\program files\RepairInstall.rar	v2.exe
File opened for modification	\??\c:\program files\SyncSearch.clr	v2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133709042989404507"	chrome.exe

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c003100000000002f5975a0110050524f4752417e310000740009000400efbec55259612f5975a02e0000003f0000000000010000000000000000004a0000000000ec312701500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Key created	\Registry\User\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\NotificationData	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	v2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\SystemCertificates\CA\Certificates\C94DC4831A901A9FEC0FB49B71BD49B5AAD4FAD0\Blob = 030000000100000014000000c94dc4831a901a9fec0fb49b71bd49b5aad4fad01400000001000000140000009327469803a951688e98d6c44248db23bf5894d204000000010000001000000026864c28a4de37f569c1ec87a0eccb270f0000000100000020000000b35e05950cfbd8259f9375ba101870b8c3c4c0ec5a529757e63167e9de26a9e81900000001000000100000009f6337f867e721aac07c3ba0fbdb64315c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000005b040000308204573082023fa003020102021100b0573e9173972770dbb487cb3a452b38300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3234303331333030303030305a170d3237303331323233353935395a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b30090603550403130245363076301006072a8648ce3d020106052b8104002203620004d9f19e4687f8217160a826eba3fab9eada1db912a7d426d95114b1617c7596bf220b391fd5bed10a46aa2d3c4a09842ebe409555e91940376675ed324e770449f8707bc318e7cef77110feac74d800d4ed6d1c731633109c3ab2ea6c62f4bdb8a381f83081f5300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e041604149327469803a951688e98d6c44248db23bf5894d2301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30130603551d20040c300a3008060667810c01020130270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f300d06092a864886f70d01010b050003820201007d8b7b4a2035b20586088a6e9e4e3aaf8004c4845c33190a81484d96baefd41db584e69737fe66884f8b3936eb72653f33dcaf0ba31563bdf418d1682fc22127c8fcbeb38ba4c636d8e3fa6da4b593d60caed0d3970247a066f2d384e14d47810e4b12f518ae1ef89c66a05e75074817ae6966e86978370605c2e261ab10aff10ee60c71b4bc939a0b0748e55205c14e9fd960bfb2c408fabd8bb99f1f79a9c60ad1292c47a4ea19d0a5cc701fa11eebe59251e7b6f708d2630c4349a1623eaab4c152b64175469086dc83dd230a55090aaef0657bb3cb9b927473b3edc2fc19b5f5114ea223e90e4c2fc8d7ef990d785e4caaa8a2b9a19f33843df69054509316bcb994ae878693226171927bb7f70681c484571388cac6502641ce108c5668ab52a642a420d09ff5245f11945bc96acd557232ef625bd4076b7a9e93baa108c1de5f8f35fd03a501fb894c775b3e408d00a2e8bdb9163c84d3aaba059fd0966b58765ffc6586a8e1246a3c4b3fe9c02217e41fe73836524696b43a619752ca32e4cd2e8b6fb17f7d1cfebd5767da3727a0a1d4342f24c0a6bfef4f4d583c4e3abcdb032e02bee1c2fa4ebcc2fdae1672617949127ddfccebbff76e2472d740892ee6fd3e1303b2e7d1dd9b43d3fc4afff387435740928dd47fd97b99337929cac48a2e00f570a88303e21182e3830b17cef5cc98220e3abfd985981bf21f4e	v2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c5030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	v2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef4240f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c13040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	v2.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB	v2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	v2.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\SystemCertificates\CA\Certificates\C94DC4831A901A9FEC0FB49B71BD49B5AAD4FAD0	v2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	v2.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	v2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	v2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	v2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	v2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c000000010000000400000000080000040000000100000010000000410352dc0ff7501b16f0028eba6f45c5030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	v2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f	v2.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2160	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1516	v2.exe
1516	v2.exe
1516	v2.exe
1516	v2.exe
1516	v2.exe
1516	v2.exe
1516	v2.exe
1516	v2.exe
4436	chrome.exe
4436	chrome.exe
1516	v2.exe
1516	v2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2528	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	v2.exe
Token: SeTakeOwnershipPrivilege	1516	v2.exe
Token: SeBackupPrivilege	2804	vssvc.exe
Token: SeRestorePrivilege	2804	vssvc.exe
Token: SeAuditPrivilege	2804	vssvc.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe
Token: SeShutdownPrivilege	4436	chrome.exe
Token: SeCreatePagefilePrivilege	4436	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe
4436	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe
2528	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 1576	4436	chrome.exe	90
PID 4436 wrote to memory of 1576	4436	chrome.exe	90
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 5404	4436	chrome.exe	91
PID 4436 wrote to memory of 3196	4436	chrome.exe	92
PID 4436 wrote to memory of 3196	4436	chrome.exe	92
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93
PID 4436 wrote to memory of 4676	4436	chrome.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\v2.exe
"C:\Users\Admin\AppData\Local\Temp\v2.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\q2xp8-readme.txt
1⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffcb650cc40,0x7ffcb650cc4c,0x7ffcb650cc58
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1764,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=1736 /prefetch:2
  2⤵
  PID:5404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3868,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=3912 /prefetch:2
  2⤵
  PID:6120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3948,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=3936 /prefetch:2
  2⤵
  PID:5708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3892,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4852,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5036,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5016,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5208,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5440,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5556,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5708,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5860,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5908,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5580,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5136,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:5944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5132,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5792,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5568,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=5760 /prefetch:2
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5240,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4908,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=3344,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5784,i,11886614795670623111,16715506903208488573,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:5628

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4864

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SubmitWatch.xlsx.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\q2xp8-readme.txt

Filesize
7KB

MD5
318454084ae6f491a012b70fcc26cd0d

SHA1
cb1fd690f9b38a4fbd55790fa33868a752caa1b1

SHA256
5c6cc19fa2f2d58ed20b417c2d1eb7747ff8071e7429b8715f11242d6fe91a55

SHA512
f71e44aea281c6db68de3910842c316ae248218c8f71616e9fafc669d73e0fdef6e0c2ff462ff7f70f1053b0844f71282534a2fc292c9b3b60d379480147544d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
cbda51c47fd34dbbe565a486168763de

SHA1
88e49e16fde650aac24041c8ebcdd21ff641b511

SHA256
1ccfd4cccee3079d3cad254d2a13c66e228c1ba76ed14ec77253b598cdcd39b1

SHA512
68ac3fabaa72c872d5c64cc35a6f599e43cf43a73e7086a7c1cb249b865ebf16ad857b27a7a3ecbb513bfe64ee8e229babe128923dc12d4a0f33e46bb2ce4519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0.q2xp8

Filesize
44KB

MD5
9b01effc9ba94b0475507ff94f27d6b9

SHA1
f881d9222a641bac05c26187bb918866ed5ce394

SHA256
7f831c107631cbf586baf48b545d8336bec87c074eb5af0eb9f8b55bf74bb177

SHA512
7dc90f714ac5c96dc1b47cd29fdd704932d6653fd10439174be6614eaaac2be521925d66db205ec4b1570e5a453ecb32529f80f5f6492aec468971db82ccda99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1.q2xp8

Filesize
264KB

MD5
eb9f81707a3cacc2df7c94ea504ef12b

SHA1
0f069426849a054873ba2c7a5e4fdfd5866721b6

SHA256
d8658a98d4fefa5fc787815923ff1ab0cadd8d7963d29b0e859f929b75c2e909

SHA512
c2314f1c713006c0af66646cf612f187e368f2057827cf9159267d725fd55cc8f634e74d75a29d4f83b0c4c5ea1c91cf520441d6ce57dd15ec5c4b8bee806947

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2.q2xp8

Filesize
8KB

MD5
1f13cb7b250279ffc1d3c0807e36297a

SHA1
3d3692d946e9f5b3e2cf3d0cd234975d0753c822

SHA256
3313563fe5e23304a287c1f6da11e056d509ddeb3f974d3387623251c731c329

SHA512
5ccc5418f1fb18dd8264e33beb057593926636acf0161bd61c07a74a43d6e83c02a5c656f5710129a6cf3d0d4298add9532430703fb040924557ce43350cf44f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3.q2xp8

Filesize
4.0MB

MD5
1b011c4f5477796d526ba9c8125317df

SHA1
457d3927e26761631b40e42c796b0f9460b9e990

SHA256
623e47f34ba6ebc7143178614ce113201f2b533777f890ae1b2970445daae71d

SHA512
ff3325f735b602e20cfe45dbd4e381a59e0bc4e9f9ef6eeef3e1e439538b0573128c32bb1bccb8796c5623f9bfd86e985bdc0956c72b9cdb7dfa5d0245f0163d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\index.q2xp8

Filesize
512KB

MD5
8f241674d11d7da81c9a31305fac9c61

SHA1
d33bb9c9c4240fd7800529538302a1d32b9de392

SHA256
546362b2c7b8c493b582f6170e3e41519f98c348923e0087a44b1a18dc476251

SHA512
059b0672f068755278ebe54944f1fb2a26a109d33d0b6c9585845bdd9478b223995321e8489acf82705e526a4b59400e8e8b869f66f90d9bbea97bdd77d41279

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
321b7607ee6acae0325116a2157252da

SHA1
4076fd19fd9af841ecd355422388edd1d42384c9

SHA256
cf739a6a387c1b838d797dd4546de93e5c4725ff9639fc30ccff5f556c3b81fa

SHA512
1f8b117ab52cc38c7a85c2cdea90193e13c17711b890c10b19fd108ebdd36292458e0a38ba7cb94982aa824fcad0040866e92c3075ab696fd05abf889eb08347

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe591033.TMP

Filesize
48B

MD5
4f9e626f58fd1cdc5d10147d47c82b90

SHA1
731e7c84379373500e3a7e10ce1edc45ae6d156d

SHA256
19a516f08b91bc5ca50228cdbcac683955039b12c5c605020c11f373815ee9c8

SHA512
987da8fdcc763b12fd28a50f17952826db8dcfdb31148a52e13768ebbcaa0cc2acb3107fa5844f31d1d007de65a729b835d6dfad42dddfc90777918eee28119d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_1\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies.q2xp8

Filesize
20KB

MD5
77b32e85de890b1d8e5f6e2a05f93dca

SHA1
b5aca251ceac2b0a7024d4cfdf88c532f2a45869

SHA256
fdd0e86de1596b809062ec70009cd557b47c01e5927d690577bea39bfc6b9ffe

SHA512
3d07c6474e9b67106828dd3627e6ebaad0009463098137f60ca38eb70023cbbbf4676ed951f8595eff13317127bc0474f23bd9c757770c94ae07e5e5409d8348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5d8d7963fde97b75d9097290f52e2a11

SHA1
95c895bb86aa54b1eb0e950305a836e2dfbafff6

SHA256
0cbc5a5fa71a45a4ffe8cdcfce796b09f2e9e52df292cf28ec6ed8da70ae9a7f

SHA512
1d8028b2feae181064fbf73ac8e87dd5a0cda4b19709e7cef21d9f1dbaed514bece278f87e9ceea6464fda0372ac9748c29d3767f18213a194225b71a9478e03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State.q2xp8

Filesize
1KB

MD5
8ea30919d8dbfec24e6bdf11ec03fae5

SHA1
66e498621d7af39ddd6d7f65beb68049c4e2975e

SHA256
c44916712d659c7f07f9f35cf4388fbb63e9d2d4a695d3a2d73f833b55eab374

SHA512
9a2033bb4377a8feb5887bac2308bc7ae9d1426dcf67fc3d2e065d2722216662c97549c9daf55278d92f1e47e13571faadb487c4ba711e56fbf2761741492bf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State~RFe591052.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL.q2xp8

Filesize
36KB

MD5
0f5d082de6d0f930b4b43d06f379629d

SHA1
0815eddbe55eb32583edf2588e57d9ec4fa4bfff

SHA256
23e8ecc9e3d7f39036d0aa7cfd4c0cc46022ad282f486e3d3f76f784ba1dd3cb

SHA512
fffa2e0a927cf6627ba6ae81f8dfbf1c3304e5942cc1fe83461968ad5689ea6d1590f2b0a099a4340a2a46b67b05a7f50f6aac9d5901203a8b9ed2903b93154b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports.q2xp8

Filesize
234B

MD5
b274b52bbbffa678395a3c5087b23ed7

SHA1
d3fcde92f17d4451559c2171597dd811bca8cd62

SHA256
a7a04b274dcdd700286bb0ce4c9f11477fa5df1119c1854f92e107fafd4a7a5e

SHA512
3ae95e8993b809cb1aa4aa333a0a980314ee2ac73847b77dd63ed43b9c9f1f4b4e242ef05305fd954396d14443a7b598ef2e1e358f45ac3c16e6517c050b77b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity.q2xp8

Filesize
588B

MD5
0efb352ca35d6b034f3160f6a7a4a448

SHA1
d7c371d45d2ff5fc466cdd96dd49c1a52cc21d5c

SHA256
72e528e31dd7c4bd9fe344352b249fc78c90629ae862cb96b8e04ba0532f2141

SHA512
0f977f8955d06a1e1fce9fc4582f3e6220ebbad15f79bea024c09d46b3ff12db32b847c28dbcb899ce0bc0cb6f9909a467ab6d024d968cfb2255d48f6057f3af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Trust Tokens.q2xp8

Filesize
36KB

MD5
b314cd69ffa63d54d998fa0df0ef447e

SHA1
8cf01a8d992a2daa105351b07d788aff12c72326

SHA256
2d758c6b322f36d89b9fe8a7ad8a27179a9fea343c979c36ac50a54e7693b08e

SHA512
e13269f71fcb8235ca2f96fede39d04dcd082ccb8123864670ce57c9303b48d40bc6487636238690b54cd18164297fb49214d47212ae5fca9e7030fa6aa63179

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
50d6646ca98d98863c7ed37004c4461e

SHA1
f6bb18defb484aafad2321f412a29ea17df8fb4d

SHA256
3e704a38cef8f6024c99a37ad0a6f2debef04a2b9b6b2415031e1d3976751b5c

SHA512
f2d32994c6fa081c53503ec0c002a5bb96c2b11a2395b5f76ee240eea4694e2851bd5c7b3d372a0d119eb177e17eda13814d471d2a4f8fcfd34447f57abc255a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe591033.TMP

Filesize
7KB

MD5
59e615fa8708e134ecb36f3efdaef4b9

SHA1
1f9d33a38a6796cc4bb4b7cc1134eeb112e9307e

SHA256
24867028812651cfac45577e42d52f72691cd3f816e6c25429660301af47e592

SHA512
6fbfe74def2635217b6d4bf2ecce26870eceb64eab98c381bb56eaa7d00e64a63c1e5079762b37b59fcf49a60621c5f649ec99aa305edebd2ebabd57907f9484

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network\Safe Browsing Cookies.q2xp8

Filesize
20KB

MD5
bb9a0a3f56b1cf49adbebd49af5bf9ea

SHA1
f11614751fb1f8d36e10c5c5bd77b114bc917216

SHA256
517b902018bf4bd1898ebe5f7998a9a80675425356eb0f5140e7faa29688f5ca

SHA512
9eb1fafc285b001e88ed83aeda87fa8bbba86bad18f4efb5982c5e22cdc6d61ed2bdf284b2408a24390a929f39b76ea1ae0ce78d9571ac5afcd8c190b60f0c1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
75a47e44f08326e55c77b22535a4deb0

SHA1
cfd6601cb008e23595f7455b054138b5c1f8d270

SHA256
81f807b88a632ee045aeb87e8a37f5e7232870e61e2e2c6cc31b0cb3accaa1b4

SHA512
74b28bbd6becf8db045ae2331170a875277e3e3dea806bef8745202bb1272ddfaa785ee75e4d3f1d2930bd99b37ce340ecac84b5506889927f4f96c4ac2194a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe591023.TMP

Filesize
72B

MD5
d816325c6bd7200e3b5e78ef65d5edb5

SHA1
d2d6b89684505a5e10745dcf3bb53f05b3f238df

SHA256
389dcab57280996d94edf6f8bec527a7537da48a038ba9af1299f4c08af77446

SHA512
1cf58121644b4bf74edb75869cac776b2d0d75c703a290f8bea44c744da31271c7b1d0928004338fb9be771b97b34e761a08fb33633f50288f588cf3dddae11b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache\index-dir\the-real-index.q2xp8

Filesize
280B

MD5
7b54016248c1f18cf17ea1f3ff1f2e26

SHA1
3f1a998b685408106430f959c6f0a67a2b0b3132

SHA256
807c3c6ea2a1e6feaf891bd19b69df0e4a7de7d87df262bcc3b23633fbe38f42

SHA512
271249ef1779b8c08ec7b0512e367818b18845f37388f58526831d0e7512204f5d370667a7b1ed54ee5a4cf2388314192652945e6c8d49261be66912b17b3bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache\index.q2xp8

Filesize
256B

MD5
1264576a0dfaebd709127eddaea936de

SHA1
424f7108cdcbcc93a3be81fe4c1fe364f1a3f5e6

SHA256
22bf90a9547d08caad29cd7bb470d29289e1cb7a743d71de47c3948ec0213d9c

SHA512
ba248021d3947df2d4f0fd136c5b2af3c43096046696aa36a1ed17961cd47499fc36ce59b4b5ac65c7e370ee9a84f99ae5e461f9572d0cd2a7352b7c8cd3d953

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\db.q2xp8

Filesize
44KB

MD5
187597bde99c971b7ac57c8b4c498cc2

SHA1
1faf31bcc65e47b902a1e4d2df8f62cf4c73ce04

SHA256
56bf0ee66c65881c5120fc9c05a6d75bc32230d6000694bcf3447d701887b856

SHA512
91641ae703c0e5743782905c26fb0dfcfcc5c52b144ce5429585300c8ad4b89eed2b46a5460ce877855a1182bac312739061082eba82c9086c20396d4c69592a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.q2xp8

Filesize
7KB

MD5
9dd5f1c1bc920ab6fa07029f6b0c7f87

SHA1
d14d164c60347bf583b8ffaa7df18dd2e6a70b3d

SHA256
720df8932b79c1a7e079742fdc3774e8bb0af86fd8c59f9366b9fe0a3723ff8d

SHA512
8a4620ecf2679ab997cc0efffe2a538896bf9167f7eff191646f3fbb3fc60fdb5dfe40de5a6bdd38bd246ff3d75c3f02e36b711c04bc9fef1f352d5bf7eca5d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.q2xp8

Filesize
5KB

MD5
e849a9b91414c61e54b84c6516048e5e

SHA1
409047d7f7b2a24b227094f708a3084a5eedd1c0

SHA256
a295ae76381017f82b2f871c530ddb2406938747e99ddb93e43a750868a7d28a

SHA512
c2f844db39127a148185ae8c37178400aca9e4644f9d93715bfa7194434bed9ffb9cf0224f2d150f9d38e26254f3e20124d809c3388bc87cd0fad3eef526d59e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png

Filesize
1KB

MD5
40c4ea664da063cccf37a00d0dea5f88

SHA1
f524c4c8544d5e8b7d5a29ba74fbe865c0fa303b

SHA256
91289705a496311822aa52d067f2a029025293f1c22779f3a8bc483e211ce1d8

SHA512
bbe182958560fa196423bc1b50575b078e4a3b2b170427074442a42a3f21ae7d91d3115e75f38335c778070142d2d1bc929bfa22bf0fb2ae644c0478f6d58d51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png

Filesize
2KB

MD5
9e1a6c45e7a5b26e6dfcb060fe4ec411

SHA1
8895839baaf4a6ce1189fd8c5572c3c8298ddcc0

SHA256
102aeb88e02ce1cd5c91ce4ab3c5880be33b6a440ee7f24c9e38741e79b46273

SHA512
323180dbdb0ebed3f398d5e7233f681ec85bd0815ef463d8351e17e99ee6f9f47badc9bdd9ab197249fe85e2c0d2457760f7bb7550c9c55110f333d13bfbe8fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png

Filesize
3KB

MD5
65e00211feede352e87ff869cd3d1b1e

SHA1
2ede8e165651f24a165f31bd2b4591d124d5fdde

SHA256
dc78a4be5b92c40c32dbbd4bcc3c65057105db062c088fadcf835a5e161095a1

SHA512
1fec808d0591868de3e27863e095ded619cfb825239eb05aab61f9ddb09bca28534e5a1a6f0d39a47affb7a3371d07cca9701b8dabcd297ff2fd116c9123fe61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png

Filesize
1KB

MD5
44188def4e01c25516ca590c90499b2f

SHA1
0a9258ac71dbd02eb2e5a592365c9e8a3744d3c7

SHA256
be3a2fe70a27da2e9836e8b96a0dcfdd980702f69124f984f82de2b8699fe977

SHA512
f202686756dd603d4d98b36421e2613003279601328aae2214ffa3226a6a7c6102703808877818a989f2927677210dbb7bfa49ccd870771b399abdfa2431dca8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png

Filesize
2KB

MD5
b87bfabaff9e7370835ea8790c87409b

SHA1
d9641aa79839fa5067ee9054cd61e0eecccfc7ec

SHA256
d67823095d8a91a0d4638ba75216c2f4b467f4fca5a56c4e45e88091b17dfdc5

SHA512
d8e3e59056076919afc7b5640d4f5964abbaac8537bb547da68f7a91c314a72615059024fa6e517134da81a38d4701138f50e37bf99a37ac3353ca5d92ed162e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png

Filesize
3KB

MD5
72af0c1352184e984612088a6df54e53

SHA1
12faf6f7b28cc2d4be9d639a770e54d895d6fe58

SHA256
e036bcb9f333d3d7e12492247e02fc6d599e12c42cc008fcbbac37def93ca0da

SHA512
8dfed220c6391592aa1bc06000548f1f18ce1e6b47b6e3b47f11185cb0d0c48f961c82c6abb598ee1dcde7ed87c59026cd282ee56f5e0dd1f48ec89a207f4623

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.q2xp8

Filesize
5KB

MD5
5bcfafbb67d7a0878c06f00721d3b895

SHA1
b1ceef83e76a91f0656f89ec1a4aa194a88cb2a2

SHA256
6cc4953aaa854200847e3b23cbdfd51be851950e1a2054c8672f7a4b06838f8c

SHA512
ad845e138f933bbb313e6680cbe9ab04e29b35a71f557719c48ddaef5630a1556aec471916111a6e05f4591908195e8cf62983b6dbf9b51a12090e7a5d5ec194

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.q2xp8

Filesize
3KB

MD5
82aaa96168d32c29296c94e2a839f828

SHA1
9dbce7311efe4274b634e528349c3a1d8449405b

SHA256
bb8209e8009e76c71c34dd54e46f8d5fb2396e7e81e16ba64ec8f89809857739

SHA512
b433bf8d3bdff9ee6835de53ff9c99c86f45d41535fe5857d5b4a54f40dbc7297c1b148fb1f9a520efb3e47b859e8d91cfb585187f1349e90a9dc3ea9daa4e35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.q2xp8

Filesize
12KB

MD5
3430ea2404f32ff49f536766f6713b7e

SHA1
b781a305c923eff4bcc3156d26182d651aacc8c8

SHA256
39e4851a357ce3280ab4e409fdfd8e7fd0d7d1510c4a698e042e5bc861373e88

SHA512
53c73b78a9d3177621e322caccda2b75c6ae7918385530d5ab80b2bf4ce7f631fd138f9d73b46abcebac22b2e15d5e5e253c429fd1eaa2c8aa74dc9827ab96fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png

Filesize
1KB

MD5
cfd1c4fa219ea739c219d4fb8c9ccf8d

SHA1
1bd9c4a0c08a594966efe48802af8cdd46aa724c

SHA256
36670568a87c7b3cd1a4448ffe5bde9b6fd3d65b58e6dca38cc4ea2e9e8c11b3

SHA512
59918179057447aa18668abbdaacd11ee3f5e83c25a93f916a050a559ea1457d6ab61abd3db9def22b5214a1767911e9cf9fa8e638852032cca3696424c6a903

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.q2xp8

Filesize
1KB

MD5
4c87d06faeb82a51d204d7d040d7bc60

SHA1
1b647bda49a0f7586ac20b4499671495dc932b87

SHA256
4e5cfe4ae1b88f24353527d81bd86809bbc99737785e61647ca0d54b07c7f2d3

SHA512
ca222d1b0ec601a72498c59760ebc79c634a57bd529795e75244574c81ca6e3f054714c34bfe6f8da587a052d840242b2a0b718147a00b2bd5ce862aabb7bdc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png

Filesize
2KB

MD5
f484337ddad3b425b5788e5ce7082bc8

SHA1
79c7e4c0202a06ef3a287cc76ea498fcf26009c2

SHA256
fa58e3209e408e4f0d60a7ed330d6f62884ccf9b593e37cde03e7916c116dd1f

SHA512
518a8e3d53fe86dc714a59cc70f8f0c44396d7569d25837c1cfe6212a10204080e0c4d19c43729f1815093af9f075693decbb9496700a2f00bd57dd3ed0b0a3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.q2xp8

Filesize
2KB

MD5
9e7e8915952a3411c0aeca1b6d69abe0

SHA1
a9119f419d73952f44decb0cd90da3b56f65effe

SHA256
e6ad54fa8d46fdd9c8d4450afa734f8b651bd536353ced32d75f474e9bee3689

SHA512
95d630e3df911d5f6af4c8059b920e68c6e8efde871be959df30efba4a248f7326820ffda1f021ae6ae8cf53b23926573e403dee3a2a101b2084645075294d36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png

Filesize
2KB

MD5
9ca95e4d4941acee74cd1bef23eaba35

SHA1
1717e5136bf97a89b5dca5178f4d4d320b21fb48

SHA256
80c1e2f4d89d5266f82dc0295f232eda894812820c5c625a036adf980536e5a8

SHA512
9fb11e36e626b0d9eb43548ba0e90cda27e70d027361c52437f01287e94f07d07da01a385ee2466963e305516f56e37020644ce03d1132322d7e796440c633b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.q2xp8

Filesize
3KB

MD5
fc9304d19d35e4f4581d4fdacb5ca93a

SHA1
4459f74c8b0856e2b799c5fbcbcf8638cdf7fd0c

SHA256
20c9832406b23d1f17234340dff4b0068e34fc259541b484ecbcaa2d3783d2ba

SHA512
18098beb9e86003686f35a84b6a10288c44e782044080e683af529187fa06aecd8a28e5b4df57797d1af081553d0275ae7e8dbb9c6bc5cde8b6bc1110d484232

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.q2xp8

Filesize
3KB

MD5
db4e85181f2c748bdf4e273a5f695d81

SHA1
1de65a99be8d7a77ea0b840ec9571cf060ce2719

SHA256
67b108ee5f319df44436406ff7686cb0d2222b17c78330d3d94ba471454770f1

SHA512
883690d77d7ea1b84d50edb192b1902ebfbc57d526afc08987180edac34b14c5c7dc4e9332d28145dc28f79a85c4215bdaf6439f18e93405acdda9f89288e276

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.q2xp8

Filesize
2KB

MD5
24e0b14e5e45662bd3d3922af0b46084

SHA1
cf5f3a02998b9046172b9900ef5fc6aff876f3d4

SHA256
2e6a4c48f95b181ca8f7948899fd86f09a8d642f933971169f4082dc079b3cf5

SHA512
602b10ee44412050ac706d85fbfbcc8a99347c763dd0f32f1391bd3b9e031d74c3f60aadc30f25d7ba7ec5e560957f366aaeaadcea45157c716acdcc7e2eb83c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\192.png.q2xp8

Filesize
1KB

MD5
5d93ff169671f1f2c60ec822b1d7fde9

SHA1
63703d9c3e12d62bc893eb937a0533c291e0a93d

SHA256
c7b6047ed54cf72d7b2fbf77c40cd91fb3487f61bc817850496a74fe5e1922c0

SHA512
bdf8af7413280cf85ede5f6788b604b208fecce2fd5a5725dc08791d684a561f78cd25566c909c9503f610be8576057254cbd32e595f368a7ccfbac4acf0a2b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.q2xp8

Filesize
4KB

MD5
bc6a3a3fd216eaec840332e7c30e8841

SHA1
80af12d82d27d00e2fa72d6c4321c248be26a706

SHA256
f30c37cd474a81c4ea2a8f00d226118b4a217a70de998e1176148470e1c41380

SHA512
045cd948341ca337280ec4f19441641c4abecca24de17c20c6460fa5c911d33766c38ecc5a372e6343f65787a9dd7a132479b6aae2e1a788be0bc1373e19720a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.png

Filesize
914B

MD5
1958a9b92332cc7b500636c414649c72

SHA1
3433cd43afc96397650ecaa2f3d4c82d985aa86b

SHA256
282c4fd7aec92fbe494f71a136c9c9111a453ff07f701ba21cf2f14b24f9ff15

SHA512
9a6791a1ffcd7b2442ffa33a132b95bc66dcfa5b2814bf5b84d8385e69b7243bed9b6e4a1677c3b88cc9de421067468ef186584c43a90b7aba78e2e19a1fd81b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.png.q2xp8

Filesize
1KB

MD5
26eb495bb65488987d0bcd5bd47645e7

SHA1
fa210838de6bd5f4b080991106a62fa65d962c2c

SHA256
4a696234aaaeabe40c96b79925d7afe705435f77c200d070ec51267768022d91

SHA512
90dd049c4e8b520a22f7b72c7a9c6dd020536d810854124325b73afe66f2cef2ab0d96576db801f8cbb60935e8221ba0afa6b735bded2da2730d646d1ef4f508

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png

Filesize
1KB

MD5
b7593fa2971ae16ea2aaefefab67658d

SHA1
df5455a066a4aa91aba3d2ad0df25e3634d04a49

SHA256
1407047a49f6220843e0b5eeb147273ac894fffb489ff02b7e920096f1cf23db

SHA512
0036d5d5b708feb7fa9dc96a705e0ef98c8dab39ee182e760515ae008e100200ee4645afa75359290f09dd1fc7f16c7830e39faaa5e302a8dd6a647adcd431c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png.q2xp8

Filesize
1KB

MD5
58e91ea1ec84d43112c76f8cc2e2b8f6

SHA1
3ae29ce0079efccd08990e40887310943e8b4791

SHA256
a40d5355a5783feecf70c7897a621dbfe4beaf4d52e933e3d489396560612f6d

SHA512
45192bb12c39f8ead4d39397961a7a238b2552d4c13276ebdcad88c46c4357c98a886f0600b27d87f15d899c0833e2644962366c83b232aa079e52fb78f5d04e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png

Filesize
1KB

MD5
6078ddcccd0966b6c8506d28eed2026f

SHA1
86b7c92bcfb0e02d9a72bebaa6731891fa90e29f

SHA256
d982bca9f433bfdf7f7d8f759576273ee8a131e676a784a6d6231b068e21de25

SHA512
850dd615ea2422f00001b37603f25756e6304e190669aca90aaab08d2ca97d163402b3fe7a4747e76040fc9dd944861b5639c31d1b40528ca806f5f920fa3d4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png.q2xp8

Filesize
1KB

MD5
2b2cb86b41ca9a9b8579cd5458308049

SHA1
499636daa41305818b15fb079599388179c1d67d

SHA256
3e08d487fe6e0e701a247c0a597abdbd2c2f8c8801e5cafb640c620eb849d842

SHA512
68663ec1ee5599707cbcd04e274b92f3e8983ea370fbae111671aaaa84dd54d65d0e2b8a3cae3ec36b273faf3a1e7a0ea2b507f9fa4142e9a1c0d8c3dfb68fe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\96.png.q2xp8

Filesize
1KB

MD5
5a586d33e1505f2bfd1a72de2fbf10d9

SHA1
d0ae10f9a59697e1a7f691c02a1b659d997ab02d

SHA256
0bcd5e2b59a316c2dca23dd3441a430abf19013375cd1aa46a4631d53d9e3906

SHA512
8bb429a4da3b908cf3e67e8f35d42451d819097b45a892b97e8fb76185581f6a6bc23cb2a5415413266e01159250ed35c6b1734521e4e0884a9838d3cedc557c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4436_1178475075\Icons\128.png

Filesize
5KB

MD5
c592b8809b071c071577fff963bd1ad5

SHA1
f628a6edd48da4aebdfdc05ee3ce852b27706cee

SHA256
8a9434f0ede8c6edf65f8d5750852be574847a62a4534e1b6b372078463b6d04

SHA512
418f074fe6b91e4393bc670a75d26db28ddfa370e3b33c17db2a402dd008175be910c3fe9714051d55c13fb28d3901fc6e7e81f73587144d053d8b25bf9c8c90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f5ecc284-9d06-41b6-8ac5-7711057b21b9.tmp

Filesize
13KB

MD5
3736a3d6dafaf1bca2bc541129a5c3d3

SHA1
832bde8d88208ac12b2db103e3a7b0945f9a6723

SHA256
cade251d965aadd251ec69f56ff3c0af7d7ae36c7a8e79537f09101fe31dd197

SHA512
4a7293b6a3acb4d4295a2b3b2124c5feaea71c0ec6118103ecd13116d2cb5c82a05dfd8affca96b412068bb62d349794e284991749358d7b0eaad3662fd91c5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
112KB

MD5
bf8d128e403a8fe1aa746dd321402c15

SHA1
f0533ac806ca2298a86da7a7cf40a5ab8a5417ff

SHA256
f81347299b529dd5fc5e9957931344eba8d2f48aae36c4deab3cb1dbf713a126

SHA512
59832543fca2506cb0db88065ea0d197222158c35b61a452b5a8369881e68d5fbf584337c5e6dacb2200bf08be57064f31ade105efdbc7c6304953229e0a52fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
111KB

MD5
9ae86411a74352b156a188068ac26b0a

SHA1
dc3b514dc7ace38d2e9f4966fe95dd4255e68e44

SHA256
f3bf64d23ac76ef562f0443113ee23524a639d94c1e188727862785daa4c1e1b

SHA512
eda6818878ea92efaf77ef3ca3b420f9d15920c83bb67326002ed0a77396850ebc9244bd01ae75769fdf89d7cfa46b2861fe70d427a361ccef1138c747e37fa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFe58fe60.TMP

Filesize
1KB

MD5
774a0239f6bb7a0a196ee2e9d4b1c12e

SHA1
7202eb3b08a79a1803792e96a69a981acac19483

SHA256
4dd9488dc8606963859daac87f7fa026f2298776e086b0393b2ad637383db678

SHA512
5cd3133a24f2089968baa2df17848767320054311bc905768ac78e9669d9f8a3a4e23fbce012bbc7ee946dfea3a0628cdfb943e1f1d8b303501e05729c616764

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4436_1595357784\16f015ce-04f1-47f4-a7c1-03c5ca94b661.tmp

Filesize
132KB

MD5
83ef25fbee6866a64f09323bfe1536e0

SHA1
24e8bd033cd15e3cf4f4ff4c8123e1868544ac65

SHA256
f421d74829f2923fd9e5a06153e4e42db011824c33475e564b17091598996e6f

SHA512
c699d1c9649977731eea0cb4740c4beaaceec82aecc43f9f2b1e5625c487c0bc45fa08a1152a35efbdb3db73b8af3625206315d1f9645a24e1969316f9f5b38c

Download Submit