Malware Analysis Report

2024-11-30 14:45

Sample ID 241117-q2xgws1ekc
Target https://github.com/kh4sh3i/Ransomware-Samples
Tags
thanos defense_evasion discovery evasion execution impact persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/kh4sh3i/Ransomware-Samples was found to be: Known bad.

Malicious Activity Summary

thanos defense_evasion discovery evasion execution impact persistence ransomware trojan

Modifies Windows Defender Real-time Protection settings

Disables service(s)

Thanos family

Contains code to disable Windows Defender

Thanos Ransomware

Thanos executable

Deletes shadow copies

Renames multiple (52) files with added filename extension

Blocklisted process makes network request

Downloads MZ/PE file

Windows security modification

Drops startup file

Checks computer location settings

Executes dropped EXE

Modifies WinLogon

Legitimate hosting services abused for malware hosting/C2

Command and Scripting Interpreter: PowerShell

Launches sc.exe

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Opens file in notepad (likely ransom note)

Enumerates system info in registry

Modifies registry class

Runs ping.exe

System policy modification

Modifies data under HKEY_USERS

Kills process with taskkill

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 13:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 13:45

Reported

2024-11-17 13:52

Platform

win10v2004-20241007-en

Max time kernel

349s

Max time network

313s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/kh4sh3i/Ransomware-Samples

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables service(s)

evasion execution

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A

Thanos Ransomware

ransomware thanos

Thanos executable

Description Indicator Process Target
N/A N/A N/A N/A

Thanos family

thanos

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (52) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n" C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\fsutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763247747343655" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A
N/A N/A C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4904 wrote to memory of 3480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 3480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4688 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4688 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4904 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE N/A

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/kh4sh3i/Ransomware-Samples

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa1fc0cc40,0x7ffa1fc0cc4c,0x7ffa1fc0cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,11388035454685092074,17425510288332417359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1884 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,11388035454685092074,17425510288332417359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,11388035454685092074,17425510288332417359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2468 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,11388035454685092074,17425510288332417359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,11388035454685092074,17425510288332417359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,11388035454685092074,17425510288332417359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3636,i,11388035454685092074,17425510288332417359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3760 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.Thanos\" -spe -an -ai#7zMap12898:96:7zEvent11329

C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe

"C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SYSTEM32\net.exe

"net.exe" stop avpsus /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop McAfeeDLPAgentService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop mfewc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BMR Boot Service /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop NetBackup BMR MTFTP Service /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop DefWatch /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop ccEvtMgr /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop ccSetMgr /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop SavRoam /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop RTVscan /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBFCService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBIDPService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop Intuit.QuickBooks.FCS /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBCFMonitorService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop YooBackup /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop YooIT /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop zhudongfangyu /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop stc_raw_agent /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VSNAPVSS /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamTransportSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamDeploymentService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamNFSSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop veeam /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop PDVFSService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecVSSProvider /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecAgentAccelerator /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecAgentBrowser /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecDiveciMediaService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecJobEngine /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecManagementService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecRPCService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop AcrSch2Svc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop AcronisAgent /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop CASAD2DWebSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop CAARCUpdateSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop sophos /y

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLWriter start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SstpSvc start= disabled

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" Delete Shadows /all /quiet

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" Delete Shadows /all /quiet

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop DefWatch /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop veeam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop zhudongfangyu /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccSetMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VSNAPVSS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooBackup /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooIT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBCFMonitorService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop RTVscan /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccEvtMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBFCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBIDPService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CAARCUpdateSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SavRoam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop stc_raw_agent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sophos /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CASAD2DWebSvc /y

C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE

"C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled

C:\Windows\SysWOW64\net.exe

"net.exe" stop avpsus /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop McAfeeDLPAgentService /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop mfewc /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop BMR Boot Service /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop NetBackup BMR MTFTP Service /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop DefWatch /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop ccEvtMgr /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop DefWatch /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ccEvtMgr /y

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

C:\Windows\SysWOW64\net.exe

"net.exe" stop ccSetMgr /y

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”

C:\Windows\SysWOW64\net.exe

"net.exe" stop SavRoam /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop RTVscan /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop QBFCService /y

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe

C:\Windows\SysWOW64\net.exe

"net.exe" stop QBIDPService /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop Intuit.QuickBooks.FCS /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop QBCFMonitorService /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop YooBackup /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop YooIT /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop zhudongfangyu /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop stc_raw_agent /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop VSNAPVSS /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop veeam /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop PDVFSService /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop BackupExecAgentBrowser /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop BackupExecDiveciMediaService /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop BackupExecManagementService /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop BackupExecRPCService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SavRoam /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop AcrSch2Svc /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop AcronisAgent /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop CASAD2DWebSvc /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop CAARCUpdateSvc /y

C:\Windows\SysWOW64\net.exe

"net.exe" stop sophos /y

C:\Windows\SysWOW64\sc.exe

"sc.exe" config SQLTELEMETRY start= disabled

C:\Windows\SysWOW64\sc.exe

"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\SysWOW64\sc.exe

"sc.exe" config SQLWriter start= disabled

C:\Windows\SysWOW64\sc.exe

"sc.exe" config SstpSvc start= disabled

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop RTVscan /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ccSetMgr /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop QBFCService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop QBCFMonitorService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop YooBackup /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop QBIDPService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop zhudongfangyu /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop stc_raw_agent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop YooIT /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop veeam /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VSNAPVSS /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop CAARCUpdateSvc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sophos /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop CASAD2DWebSvc /y

C:\Windows\system32\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp90B8.bat

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=524288 “%s”

C:\Windows\SysWOW64\fsutil.exe

fsutil file setZeroData offset=0 length=524288 “%s”

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 172.217.169.10:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 collector.github.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 140.82.113.22:443 collector.github.com tcp
GB 172.217.169.10:443 content-autofill.googleapis.com udp
US 140.82.113.22:443 collector.github.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 22.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 cutewallpaper.org udp
GB 172.217.16.228:443 www.google.com tcp
US 104.21.37.179:443 cutewallpaper.org tcp
US 8.8.8.8:53 179.37.21.104.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 104.21.37.179:443 cutewallpaper.org tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

\??\pipe\crashpad_4904_IDEBDHGRJLKYVUAD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 ea601f7557372c938038511691e72819
SHA1 7246e60ed9f53c7d8c7251a9dbddd6ad097647f6
SHA256 43b73c7130f50c345ff3ccb8812d8667318e68e4730deb43e0f413d67a98c637
SHA512 f4020d9bd4f97118bd253f55d0ab6cd10aa88162be112d2dd9f03f94beb849fce2ca2b46437a09c990662e15e18e2633fa6abbd5a02d07fc582310f13e36dec2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 e4841c75fdb233e0e6a289d1b93f1478
SHA1 120e61bb7f88362a5dfdd81acb39ec3f7def5ff1
SHA256 b08c65e2e947c7b5e14f71b5fc3c88f4b825d08bd5370da07d9b589449e8d1b1
SHA512 18246a6473e1ade69caf449ff0f6b0340f6f2d0e6ce04b9cf58913b0b879f5fde9b940181cf43eca29faa05925450f49053f1bbeb8a873e293d0479620dde065

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1c0feed57b941fdd6ef118c19336ac5c
SHA1 f7e16154494899ccb96c667a6abc08e7a614b79e
SHA256 69901215a6f57bb35e2145552adcdd71ba8db9eeb31cc29f878f915a712c8c5e
SHA512 fdb325e53586903cc7595afc0e792d016ff3c5db10754e3856122019f90e2eed595075633e0ec629416bc467c72e48c7f20841599c02dbacb65f4a2998f31005

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 bbdf40027a966dc1edce479894ec339c
SHA1 0c683e6b1ca57a8036824cba01b113ecee5c26ce
SHA256 bb38f5f938e16ed4773b643553bff8b75513c4b0c1c658f164ad8b1eac6c8c85
SHA512 486bdc6bff2a9c9cdd3092605c7c57bda891eef459fa8073ad8ec38a2c7df425bf9fac24200e7151ba2ad86e28461403f602d6320b5c79f014ee59a2a7648aa2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2ca1a23f9416b66d25180a00db9b90a8
SHA1 1eab7e4b1fd9d10aac25cd9436d66ccadb6cd42f
SHA256 888a7a029a9fd67237a06567aa562a2c9e018ab18d633c75b4469abd9b793147
SHA512 16c24a80a5f08acdddab763d84be175bdd2bdb6cb16f6807eaa69a0b5279c8570f88d71fb9d29474c3eff97eef5b3a25bcd3b5413750becb61f0d1d674dd232a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b567ca3bb1d13b8238912ff76450659e
SHA1 dc29d727b566d5c91de1a822d5aaed699fa64bf9
SHA256 ebd9422ebaade65c1256aae1b0f0605c66f2922141c94bee6de03f9ff9c18cf8
SHA512 03fe4464ad63daa83d5f658177e86cb13ab66b5ed9cb383497d5285f122e5a3e3ee45240396b7123c0906e607bcba660bf4b712274e0c9060ed26f69f2550c9d

C:\Users\Admin\Downloads\Ransomware.Thanos.zip

MD5 00184463f3b071369d60353c692be6f0
SHA1 d3c1e90f39da2997ef4888b54d706b1a1fde642a
SHA256 cd0f55dd00111251cd580c7e7cc1d17448faf27e4ef39818d75ce330628c7787
SHA512 baa931a23ecbcb15dda6a1dc46d65fd74b46ccea8891c48f0822a8a10092b7d4f7ea1dc971946a161ac861f0aa8b99362d5bea960b47b10f8c91e33d1b018006

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 b6dcf0ecb9dddf705ac0c1534e5d52c9
SHA1 27b0af568c30cd3482cb0958192c3956f5bfc19d
SHA256 25fc2a1c62fa26ace2b90ddc94e2f5abb24b0b2e525a5ebfa041a1366154b79e
SHA512 82e6cbcc18a0738085b947787f577a381966a1330673042ac0eed7bb8042166b04701abb432063e6f3c927a4b6894dd168c46e76222d2af75c72973f2e7770ea

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 17c667849ecd92c8a834f02a88da223b
SHA1 8bcbbeb3e9655abdf731af9c69c56ddb5570ac1a
SHA256 5083a209841c34992e66b8ff94691f42899b1290d1907557dc8d5a0b4c8e7357
SHA512 ebbb6b1e302573ae5a000022fdc3bd48b6a930e80bd8415598566182dfc6de3fa1e2e39cfeae63e0c2dffaeb7d3dd310f41315b4e34db7f218b97d316b2f0c20

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 91cf71eedd2010b32243dff7a19a9ac5
SHA1 8bb971729217d9e712b2ce65453d823dbe66233a
SHA256 1ea12c7bea133ede2ccc1f6eb67c012af9f962b144b4bd2c44a4482b59a3b609
SHA512 260379c768cc8f223b13ab967d2189626edd7608e6f0ed53daa4ae8e28955da5216a0a50d08f50ca2cb233f812685a42fd0e6ca0e89d963ed3116ab31ddf4ee1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d07b6c78f46670b7baa834ac65d80036
SHA1 7c65291f00482e1227b1d1d9584d3fb906b23d2f
SHA256 28a84a17a62c2c9defcbacfe7e74ae72c4d2a4811fb714ca9dfbb27cf010dd99
SHA512 4fb3cfd734443463fbddcce25a2e1b50b07a5d305e91b4b947f581ed41f661922beb9add5ea73fc0f4b2427da787ede2ccf796c0268d3d7fcaa18976c6d28009

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 309060fe08d23c99dd686b53454ad2b8
SHA1 8e1fc2aa4f35b17cf6b92d910d23acf944b4933f
SHA256 c0f9304c10c946ed2ee3d7ab4037adabc6b1a8dfe27f533e8c2de631df8ac926
SHA512 93753749e9097ddcbb4101649437cc1a3942ed8998c201914271a126025afaa46ab02afd829e62a4dec4eba6eaa2e0b12eac2011ea80224d5e8324e8cebe0d50

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b5c0118f6f0df315105ec120298db466
SHA1 d7d53b7380f32f0f781bfb29d2b231e32080c998
SHA256 5595d69dbe6dc7e3b1be45c057145538d8c7098593d9661ea639376bed12badb
SHA512 43c5de43a2cb6150c6e1107a915d8bdf7dd8310bbea558e00f3c08eccdba34c4a077920afea181af4edba9a3d0f1c38b1af81c0936d8a0c3dda82e14d50b1b14

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 89bc63e70a3f37631d12d384a9ed4146
SHA1 566aaccb6e8a00a067a1a3fe3e0b83b71d3fe82b
SHA256 b4d2f2f662b7ec0da6c4bd664da69fcc22a382296cb662094acb17a0ae67a495
SHA512 f749b5ca19486529800a6432ca046949779ab4fc096e6aab1ac0d79d35027385fec80767f1ff77ded340c5ee22fa9a38d5de80ac50446c95c2bc45124af0baeb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 9cd14fabc9b9e25f411ccad687bc424a
SHA1 d49e970286197905fc6b923dea21f8d944651bf9
SHA256 1245c5c4838115e3a69e46beee66239e4a0eb58046ca120d0e8e30d81d1e09fe
SHA512 d4fe5083b2d0aea685fd08787270491d36476f21af762f3c27222bfb12fe9e92db0f109a6daabe747e6e66b4f18685e3d5441b8dfa6775ba3daeb420b1a46669

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 c4ff8ef4bd78d8739c2da662f7e79b52
SHA1 1548f2699bf1786fdbf05468376ba9ffb3eda562
SHA256 b56388b246c35514abf324f0c756ca2a26a27fad328d815e48a61dd7d4c52d9d
SHA512 786a93170e22a6b7177841e49bda265b8c2d55090366d768ad9a230c2b8657707f9fb868e223c3ca79c5f9ad863d91a2b8efbdae540aeb5d406beac5093265b9

C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe

MD5 e01e11dca5e8b08fc8231b1cb6e2048c
SHA1 4983d07f004436caa3f10b38adacbba6a4ede01a
SHA256 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
SHA512 298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de

memory/2540-389-0x0000000000A70000-0x0000000000A8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a5rfelv1.zv3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/788-395-0x0000022CDDE10000-0x0000022CDDE32000-memory.dmp

C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE

MD5 be60e389a0108b2871dff12dfbb542ac
SHA1 14b4e0bfac64ec0f837f84ab1780ca7ced8d670d
SHA256 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d
SHA512 6051bec441434a80c34ee2752a3da9c3a0307cd1b551aa27a0f7f6f75b9bf64b172745d80f03eea054a03ebd2c493df21fd48d8fa3b706d46a6f7fee0e7c0641

memory/6112-453-0x0000000000600000-0x000000000061C000-memory.dmp

memory/5468-467-0x0000000002870000-0x00000000028A6000-memory.dmp

memory/5468-468-0x0000000005280000-0x00000000058A8000-memory.dmp

C:\HOW_TO_DECYPHER_FILES.txt

MD5 9520796899ab3dd7a9cd50cbfb496e1a
SHA1 565860779c4d3f9a7034b806b21493ddc9c79809
SHA256 6ffef872ffcf921b88e4a26ef7584cc6c6fa4862b16f1606ce78df72d39f3c48
SHA512 e8d7343d4178cfcb9b5b70a561f9e901606a59a15e394cabd55b748b34ce4bfbf8326a0278703a8c5486d244b2a291f2611687909852bd0be9e9d558c76c6344

memory/5468-516-0x0000000005A20000-0x0000000005A86000-memory.dmp

memory/5468-515-0x00000000059B0000-0x0000000005A16000-memory.dmp

memory/5468-514-0x0000000005910000-0x0000000005932000-memory.dmp

memory/5468-526-0x0000000005D20000-0x0000000006074000-memory.dmp

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5 71f380ab6f64aea14092a99da8c07793
SHA1 d1797498e3141a6f4e42d1d371a09ada267a6b39
SHA256 ad43af3a1914954895d4daa2cc8124bd1229d4fc684254c7153a79f24865c97e
SHA512 c1318181202e2e90bb2b8b545d9806cd1916d5857a9d87e857ffafc54cf585a981c384b957f3ba703323ba9abe26201ce8dfb991a402881a119e9615efdbb60d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/5468-534-0x00000000061B0000-0x00000000061FC000-memory.dmp

memory/5468-533-0x0000000006190000-0x00000000061AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HOW_TO_DECYPHER_FILES.txt

MD5 de09fbbf7f3b94cc2f7e36aa37065d06
SHA1 f0a868a9038530f81e4f8412904e3703bf416180
SHA256 f5e77fa11289a6dd102456608ccd8c5bd824b58123cd00cde1118a1ebd9db0d3
SHA512 17a2567038f0331a836a0cf5c6513855454d9c6656e6619f74f0f9d72f0f5a8cd721a88794f498c404804f226e1c99c966c4c265d637b80c0141697608f84de4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk

MD5 56f4c6b47437e06381af45a85fc0f611
SHA1 8118c7d7c39f49ed395fb0ae7fb19ee0e95368a5
SHA256 f20821e1db6ac90c932ac8f927cfdf4853041bdcb3f177d89dfa8541cccaf93f
SHA512 192a1f72f6191aea031b51cb73d318a5e57c3143c7649759e1ca56abc952e79e00fe020b2e652e22b36fb1dcc24128acab5a13fdd6ef1ef2f4cf6e7a538988d8

memory/5468-566-0x0000000006740000-0x0000000006772000-memory.dmp

memory/5468-567-0x000000006FCF0000-0x000000006FD3C000-memory.dmp

memory/5468-577-0x0000000007360000-0x000000000737E000-memory.dmp

memory/5468-579-0x0000000007380000-0x0000000007423000-memory.dmp

memory/5468-608-0x0000000007B00000-0x000000000817A000-memory.dmp

memory/5468-609-0x00000000074C0000-0x00000000074DA000-memory.dmp

memory/5468-610-0x0000000007530000-0x000000000753A000-memory.dmp

memory/5468-612-0x0000000007740000-0x00000000077D6000-memory.dmp

memory/5468-613-0x00000000076C0000-0x00000000076D1000-memory.dmp

memory/5468-614-0x00000000076F0000-0x00000000076FE000-memory.dmp

memory/5468-615-0x0000000007700000-0x0000000007714000-memory.dmp

memory/5468-616-0x0000000007800000-0x000000000781A000-memory.dmp

memory/5468-617-0x00000000077E0000-0x00000000077E8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 50bb1575c1393d9a3697c3dae6fb2b6c
SHA1 e874da64f63eff1d7c598524356642c3c5abf330
SHA256 c26fedfb02d6b14481a7fda78139830cf2cf6a0fd6a6ed4d032cebb119a5dee9
SHA512 2f91fa27c36314f83634cba40d3db6f144843c3e7f28600c0f2458ab4fe0730705efc34e2ba830a423aff039ee2a19d8bcda08e00507cb27c3a11c7bd9d5d01b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 f0a512ec082edd72089e275e5c569d8b
SHA1 d53c416f97e7f5d7884cb999e35344b69a662dec
SHA256 59fcc1cd8f0c6170b6f25a56aec14b60bafd15c5374b7a4a14c874003bae42dc
SHA512 f71c6001864cb73f036c4cf4c5a0e477b6d9936dc5e681184cd60125e9689f65721981866687109d99b03268d08b2cf46962f6bd7baa884a1a464fd86cde0509