d1e298f4bf182646fa679f4145f4764d931a0140fc87ec2fb01d05e8f36adc33

Analysis

max time kernel
194s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20241007-de
resource tags

arch:x64arch:x86image:win10v2004-20241007-delocale:de-deos:windows10-2004-x64systemwindows
submitted
31-10-2024 22:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

DestroyPC.bat
Size

789B
MD5

20ac4390231d09f9a9068c203017b8df
SHA1

80d0108e7b47b6da0cb83c8b5b880258f4ab65df
SHA256

d1e298f4bf182646fa679f4145f4764d931a0140fc87ec2fb01d05e8f36adc33
SHA512

a2aa53aceb7e9d9c8ee711e9b7a96f44d0661fd70f701d9f420de95d886b9d203571da9860d300f4076747ac9420341f21f7b3ba6073080f0f2be743d80beb59

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 48 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
840	icacls.exe
2160	takeown.exe
1488	takeown.exe
2516	icacls.exe
2160	takeown.exe
3372	icacls.exe
3096	takeown.exe
1528	icacls.exe
948	icacls.exe
3992	takeown.exe
4492	icacls.exe
2816	takeown.exe
3628	icacls.exe
4788	icacls.exe
1648	icacls.exe
2428	takeown.exe
1232	icacls.exe
3764	takeown.exe
3920	icacls.exe
1636	icacls.exe
1748	takeown.exe
3024	icacls.exe
1540	takeown.exe
4516	takeown.exe
1340	takeown.exe
1368	icacls.exe
2220	takeown.exe
2720	takeown.exe
2476	takeown.exe
3208	takeown.exe
4360	icacls.exe
1344	takeown.exe
1068	takeown.exe
3964	icacls.exe
4512	takeown.exe
1852	icacls.exe
948	takeown.exe
3208	icacls.exe
1212	icacls.exe
1408	takeown.exe
4480	icacls.exe
2996	takeown.exe
1536	icacls.exe
1892	takeown.exe
2800	takeown.exe
968	icacls.exe
4644	icacls.exe
4184	icacls.exe

Modifies file permissions 1 TTPs 48 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	process
1212	icacls.exe
3628	icacls.exe
968	icacls.exe
1340	takeown.exe
1408	takeown.exe
4480	icacls.exe
1068	takeown.exe
4788	icacls.exe
2996	takeown.exe
3024	icacls.exe
948	takeown.exe
1528	icacls.exe
1232	icacls.exe
1368	icacls.exe
1636	icacls.exe
2720	takeown.exe
1892	takeown.exe
4512	takeown.exe
2428	takeown.exe
3920	icacls.exe
2516	icacls.exe
3372	icacls.exe
4492	icacls.exe
1536	icacls.exe
2800	takeown.exe
1852	icacls.exe
2816	takeown.exe
2476	takeown.exe
4644	icacls.exe
2220	takeown.exe
1540	takeown.exe
3764	takeown.exe
4184	icacls.exe
3992	takeown.exe
3096	takeown.exe
840	icacls.exe
3208	takeown.exe
1648	icacls.exe
3208	icacls.exe
2160	takeown.exe
1344	takeown.exe
1488	takeown.exe
2160	takeown.exe
4516	takeown.exe
3964	icacls.exe
4360	icacls.exe
948	icacls.exe
1748	takeown.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	ioc	process
File opened (read-only)	\??\Z:	takeown.exe
File opened (read-only)	\??\Z:	takeown.exe
File opened (read-only)	\??\Z:	takeown.exe
File opened (read-only)	\??\Z:	takeown.exe
File opened (read-only)	\??\Z:	takeown.exe
File opened (read-only)	\??\Z:	takeown.exe
File opened (read-only)	\??\Z:	takeown.exe
File opened (read-only)	\??\Z:	takeown.exe
File opened (read-only)	\??\Z:	takeown.exe
File opened (read-only)	\??\Z:	takeown.exe
File opened (read-only)	\??\Z:	takeown.exe
File opened (read-only)	\??\Z:	takeown.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\INF\display.PNF chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

description	ioc	process
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Opens file in notepad (likely ransom note) 3 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

4112 NOTEPAD.EXE
1648 NOTEPAD.EXE
3096 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

1772 chrome.exe
1772 chrome.exe
5012 chrome.exe
5012 chrome.exe
5012 chrome.exe
5012 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1772 chrome.exe
1772 chrome.exe
1772 chrome.exe
1772 chrome.exe

pid	process
4112	NOTEPAD.EXE
1648	NOTEPAD.EXE
3096	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

takeown.exetakeown.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2160	takeown.exe
Token: SeTakeOwnershipPrivilege	2220	takeown.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exeNOTEPAD.EXE

pid	process
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
4112	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exechrome.exe

description	pid	process	target process
PID 1576 wrote to memory of 2816	1576	cmd.exe	cmd.exe
PID 1576 wrote to memory of 2816	1576	cmd.exe	cmd.exe
PID 1576 wrote to memory of 484	1576	cmd.exe	diskpart.exe
PID 1576 wrote to memory of 484	1576	cmd.exe	diskpart.exe
PID 1576 wrote to memory of 2160	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 2160	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 3372	1576	cmd.exe	icacls.exe
PID 1576 wrote to memory of 3372	1576	cmd.exe	icacls.exe
PID 1576 wrote to memory of 2220	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 2220	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 1636	1576	cmd.exe	icacls.exe
PID 1576 wrote to memory of 1636	1576	cmd.exe	icacls.exe
PID 1576 wrote to memory of 2996	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 2996	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 4788	1576	cmd.exe	icacls.exe
PID 1576 wrote to memory of 4788	1576	cmd.exe	icacls.exe
PID 1576 wrote to memory of 1748	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 1748	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 3964	1576	cmd.exe	icacls.exe
PID 1576 wrote to memory of 3964	1576	cmd.exe	icacls.exe
PID 1576 wrote to memory of 2720	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 2720	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 4492	1576	cmd.exe	icacls.exe
PID 1576 wrote to memory of 4492	1576	cmd.exe	icacls.exe
PID 1576 wrote to memory of 1892	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 1892	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 1536	1576	cmd.exe	icacls.exe
PID 1576 wrote to memory of 1536	1576	cmd.exe	icacls.exe
PID 1772 wrote to memory of 2936	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 2936	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 664	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 4596	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 4596	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 2968	1772	chrome.exe	chrome.exe
PID 1772 wrote to memory of 2968	1772	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DestroyPC.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( echo select disk 0 & echo list partition & echo select partition 1 & echo assign letter=Z )"
2⤵
PID:2816

C:\Windows\system32\diskpart.exe
diskpart
2⤵
PID:484

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\LogonUI.exe /a
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\LogonUI.exe /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3372

C:\Windows\System32\takeown.exe
takeown /F "Z:\bootmgr" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\icacls.exe
icacls "\bootmgr" /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1636

C:\Windows\System32\takeown.exe
takeown /F "Z:\BOOTNXT" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:2996

C:\Windows\System32\icacls.exe
icacls "\BOOTNXT" /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4788

C:\Windows\System32\takeown.exe
takeown /F "Z:\BOOTSECT.BAK" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:1748

C:\Windows\System32\icacls.exe
icacls "\BOOTSECT.BAK" /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3964

C:\Windows\System32\takeown.exe
takeown /F "Z:\Boot" /A /R /D Y
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2720

C:\Windows\System32\icacls.exe
icacls "Z:\Boot" /grant Admin:F /T
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4492

C:\Windows\System32\takeown.exe
takeown /F "Z:\System Volume Information" /A /R /D Y
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1892

C:\Windows\System32\icacls.exe
icacls "Z:\System Volume Information" /grant Admin:F /T
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1536

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:332

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:3564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff99bacc40,0x7fff99bacc4c,0x7fff99bacc58
2⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1808 /prefetch:2
2⤵
PID:664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1960,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2092 /prefetch:3
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2320 /prefetch:8
2⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
2⤵
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3272,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:1
2⤵
PID:3856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3784,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3768 /prefetch:1
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:8
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:8
2⤵
PID:524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5104,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:8
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4004,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4364 /prefetch:8
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5012

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2452

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DestroyPC.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\DestroyPC.bat"
1⤵
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( echo select disk 0 & echo list partition & echo select partition 1 & echo assign letter=Z )"
2⤵
PID:2428

C:\Windows\system32\diskpart.exe
diskpart
2⤵
PID:4324

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\LogonUI.exe /a
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4512

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\LogonUI.exe /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:840

C:\Windows\System32\takeown.exe
takeown /F "Z:\bootmgr" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:2800

C:\Windows\System32\icacls.exe
icacls "\bootmgr" /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1852

C:\Windows\System32\takeown.exe
takeown /F "Z:\BOOTNXT" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:2816

C:\Windows\System32\icacls.exe
icacls "\BOOTNXT" /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:968

C:\Windows\System32\takeown.exe
takeown /F "Z:\BOOTSECT.BAK" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:2476

C:\Windows\System32\icacls.exe
icacls "\BOOTSECT.BAK" /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3024

C:\Windows\System32\takeown.exe
takeown /F "Z:\Boot" /A /R /D Y
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3208

C:\Windows\System32\icacls.exe
icacls "Z:\Boot" /grant Admin:F /T
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1648

C:\Windows\System32\takeown.exe
takeown /F "Z:\System Volume Information" /A /R /D Y
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3096

C:\Windows\System32\icacls.exe
icacls "Z:\System Volume Information" /grant Admin:F /T
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4644

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2252

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DestroyPC.bat
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\DestroyPC.bat"
1⤵
PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( echo select disk 0 & echo list partition & echo select partition 1 & echo assign letter=Z )"
2⤵
PID:724

C:\Windows\system32\diskpart.exe
diskpart
2⤵
PID:2464

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\LogonUI.exe /a
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:948

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\LogonUI.exe /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1528

C:\Windows\System32\takeown.exe
takeown /F "Z:\bootmgr" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:2428

C:\Windows\System32\icacls.exe
icacls "\bootmgr" /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3208

C:\Windows\System32\takeown.exe
takeown /F "Z:\BOOTNXT" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:2160

C:\Windows\System32\icacls.exe
icacls "\BOOTNXT" /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3628

C:\Windows\System32\takeown.exe
takeown /F "Z:\BOOTSECT.BAK" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:1540

C:\Windows\System32\icacls.exe
icacls "\BOOTSECT.BAK" /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1212

C:\Windows\System32\takeown.exe
takeown /F "Z:\Boot" /A /R /D Y
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4516

C:\Windows\System32\icacls.exe
icacls "Z:\Boot" /grant Admin:F /T
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1232

C:\Windows\System32\takeown.exe
takeown /F "Z:\System Volume Information" /A /R /D Y
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3764

C:\Windows\System32\icacls.exe
icacls "Z:\System Volume Information" /grant Admin:F /T
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4360

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4284

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DestroyPC.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:1648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\DestroyPC.bat"
1⤵
PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( echo select disk 0 & echo list partition & echo select partition 1 & echo assign letter=Z )"
2⤵
PID:1440

C:\Windows\system32\diskpart.exe
diskpart
2⤵
PID:3516

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\LogonUI.exe /a
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1340

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\LogonUI.exe /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4184

C:\Windows\System32\takeown.exe
takeown /F "Z:\bootmgr" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:1344

C:\Windows\System32\icacls.exe
icacls "Z:\bootmgr" /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3920

C:\Windows\System32\takeown.exe
takeown /F "Z:\BOOTNXT" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:1488

C:\Windows\System32\icacls.exe
icacls "Z:\BOOTNXT" /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:948

C:\Windows\System32\takeown.exe
takeown /F "Z:\BOOTSECT.BAK" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:1408

C:\Windows\System32\icacls.exe
icacls "Z:\BOOTSECT.BAK" /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4480

C:\Windows\System32\takeown.exe
takeown /F "Z:\Boot" /A /R /D Y
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1068

C:\Windows\System32\icacls.exe
icacls "Z:\Boot" /grant Admin:F /T
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1368

C:\Windows\System32\takeown.exe
takeown /F "Z:\System Volume Information" /A /R /D Y
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3992

C:\Windows\System32\icacls.exe
icacls "Z:\System Volume Information" /grant Admin:F /T
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2516

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
6d6547a743d5768175fc3760a4a5d49b

SHA1
e1bef707619082126188b7545d69331d51d24e98

SHA256
9be1b58e80ae53bd99a76f7803739aae0c4168244c5fc7fea520197134bcb9a7

SHA512
d78f42a796f889aaec9bdf230e419778d2466e8f995802ba6353e730891ad3a1b5cac71a0011a2e5b4fa97080603ece3aaaea5b7ab2ec81edd5f03f28d24a82f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
b0a2da0059ed3ab15e9741379daec8b7

SHA1
73b22632ac606c4299de414cc3880147519e44dc

SHA256
50c6a37c8b264ed63541307e63ec9b6631aada26852a9b167912d7c42927b0b4

SHA512
202f65e7cd74db66a5f6ed10f25704f86209a972ef14d2aad8dd09ab5eded55febd1bba6ba98abaa00a143b841451fa2216d2e1db39d68d44f8b6792ce1a9203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5d0386c59be175c2d8f290421bb12b06

SHA1
d469cb6bbab33f3bf4ca84c6e78364196c569bed

SHA256
a434d228bde23819599514958fff03e5001ae174f9f0e4ff7a48bea4dc8627df

SHA512
bc94c75d59ffa681942e18da148bd1dda887a6941479348e474397e55d2ee59c967e6ca452daf72010e52c157d5db2bade6552ad467b32d8a5f35d72b15c115a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6cf6bca59f2d12010f7fcf9437395977

SHA1
92798a86dc6078fc96653152aa2c2d87525b452f

SHA256
f82c73088b4cde629bd84d8b5f3764f19ebb03db2b90070fd51fc7eb466d1422

SHA512
b56467966eca6369bf485dd9aece268a4d5d12d001ebefce5d4803106ced8afb2df02e0a440f79f00329a4bd1829ca9de44e53c9c117b693dc1767d67e3a1116

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ac857deb01556655e06c17496da0fafd

SHA1
07496c856e6167104025fc6e33788c328b507035

SHA256
19eec7719f44503132a663b3f3dba4c3e9b9904c197a1452d985b182a39c3316

SHA512
48f472d0dd2927c32f9fad15e1b7d6917b57a3f5b2bf05e117832d371fa8b7d57444d4ec75a2afe75d0599a21315a09d81170ac14145d376557cdc292c3cfec4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
47cc0131307fd9968838167bee4dcf3e

SHA1
b77699755dcf91114438a7599e15a07422bd8016

SHA256
3b75f375c25f705a32283802a12859b1de74b42df7881a8e126d54337029e6ea

SHA512
b0f8a91e3573870ce4dd44476fbc703a0522e87f671472f15bc182be8844d8c446b322cf5adf686d09b9ff17fbbe09f4c9fc4490707a0432727965d9226e8236

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d08b722c37f7518b86dcbd07b7782930

SHA1
7b204bfec33a08414e5fa9ce61c4af628b53d302

SHA256
e5a59271edd9cf4393efacdf70cd7b40a2c0533219e044d951e1edc3947a143b

SHA512
4e93fa614cd3bbf40d82b8154e6eb34b89b37ab415d2ebcecc404d80aa62bcd50e61590af15e8dafe6f64ab55fd36d863bfd19b2d9a748008c28b4684a9cd875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cbfceb2b42f4f30422f99fadacd7c8ae

SHA1
fccafa95d6afa1ca5da69c512903d6822e17738e

SHA256
5229b009b515c91802350b18bce5913fb7a2fa1644cb0a44e6849a3eb9167da1

SHA512
adf26738bac7330133e2af031e20f61f59ec53f955f7bada46da25a5f7a426bffa37a28f583b4cc9651d1dad56dc716e669fbe9db8a0fd3ee6ecef7634dc867a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aebc12990aaf0d5994cc4f86edf7facd

SHA1
699e478c3e75b0c5b6a41915732395b6d5d9cbaa

SHA256
a512f49b91d59110c9825ef04b1863cad165d45d8bda9ed1a8b375380b63f6b5

SHA512
362605946d166867048a23e2c68a31c83a5bbe78a68eefef69afe3ae133d7a1a9b57a46f0e63bfd7639ee5a9a7e7087244fbe342a28c0a54fc775231a69fbbee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1b4d89a5a5189207f5a48fb4e083277d

SHA1
7be11c14f91a9c3a330213a57b4b31a44ccbddf5

SHA256
4417d9c6c1b10206f609cd16aa25e1871004a07f9b78c7cbb0469633740eb87e

SHA512
53f77f19c97e614001534869a1a2c0dff6ecdc8dca7fb0082889133337a6d564e07b10233e82e7276326cb055b81ae16b62f5d78853e1cf0d5b3371e02b4f0de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
757bc552a7b78381e5b946bb6ba92914

SHA1
f6e7df6000699924f88ea938f4c01294df07209c

SHA256
0ed3d340ac2d3fa718ebc8bb90fd09c1780e7658b844655bd698cd9264118d8b

SHA512
678906f9aa46c80fd9a773ecb54d4b7cdf18ee0594bbbd70f4ab724bb06877c505d40e2da129f31431ada6f4d8b6cfa8816fa85bd01d7831ec42911458eac1ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c3bffeadf769d280e899a1a190f90c92

SHA1
aeaa7b4b07b5c84b114c47c625245a2889e009a4

SHA256
8bb1f3c11a4408c07f3cdb3b50edc78e8dd6324084fd772d4fbce8439b70172b

SHA512
d3d2543e455c250e391545423edfcd43f7f4c3f10b628dddcff70cafb1f54f8c5751a71ac3340abe1752ed89e686210746648f9fa70f9eab8dbbfce716f42ca6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3d5f0f1744fd5d9a86e7ff4c5391fd24

SHA1
e760c3da9129d687ae01e0104bf65a15e9474310

SHA256
81800d8886e454e56f49de18d91ff73c27f252591e060647293dc41e78c32d73

SHA512
a666a27ded28558b57d1aa3c220f508f14754ab3ba89c0b52973c329acc563b41f3faabed7fbe2f26e79160ec60ebe534c0da0cb0e0efba8934507a0a5084e37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
7f8a4fcf1c7ddab372c52f68de2da31f

SHA1
b28de075e9546b36df6da16421aca0bde94aa663

SHA256
05605b28603c912fc9c6f7b7e69be46715f7f7a2364f77673c0a9cf5420ea940

SHA512
1147f8f0b7a882eca354407cd09060081d2100e6ad50a5b821c5ed345ccefcb7bf29f37887a29bcd78dff406a6f15c06340c44755fa152039f3e0f0138a8e27c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
17a75beda4a550f8361e0b568108ee14

SHA1
af5896b054074af983b3a7c4f3d451c8d86a7b94

SHA256
3cbdc40b1d71b1e2b36051c9d75670c301699e547f4862c32d28d33cc0a374fc

SHA512
e38f5d25f038b17e15151d77564ea724a984326d5e39156cc9d2a5bd99ae71d6d120a8a9dbd9c01850004d8b161a0b93055f2053841ddab2239298cbce311dce

Download Submit
C:\Users\Admin\Desktop\DestroyPC.bat

Filesize
798B

MD5
2682a6fe1ba3324e01fe2797dd0ba7c7

SHA1
89013b9225a547a33ca7e47a10ed09fe2dfd6956

SHA256
c41396e0e6fc37022dfe3841c35ec70fbee6b8608d73c23d8116cd66f3eed09f

SHA512
529170f8b494a6732ccc88ab43d68ca9118a0680d654e0a2c15218ccbd01a944e07510c9db14c34d1a1263e52ebe508374c07cb4a1280c76eae2b6dbb0b0c495

Download Submit
C:\Users\Admin\Desktop\DestroyPC.bat

Filesize
783B

MD5
a747c7608bd0cd2fd17082315c86471b

SHA1
d761e438bd2f37079ea42ebb702b52b0d9781599

SHA256
8a27202559e11d253cc055ecc8d04008451b1d5af05e63908890708095214991

SHA512
7ef3afa901ec9fc8797db1b5b6f3dff3857c4df6ada600321aa766764384b8cd222cdc0963d65ecd704534f94892f606d50b984abc514afa1521fd4a21607dad

Download Submit
\??\pipe\crashpad_1772_KCFXURXKZOBHLKUJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads